<!doctype html><html lang="en"><head><script defer src="https://cdn.optimizely.com/js/16180790160.js"></script><title data-rh="true">Detection and Response for Linux Reflective Code Loading Malware— This is How | by Rex Guo | Confluera Engineering | Dec, 2021 | Medium</title><meta data-rh="true" charset="utf-8"/><meta data-rh="true" name="viewport" content="width=device-width,minimum-scale=1,initial-scale=1,maximum-scale=1"/><meta data-rh="true" name="theme-color" content="#000000"/><meta data-rh="true" name="twitter:app:name:iphone" content="Medium"/><meta data-rh="true" name="twitter:app:id:iphone" content="828256236"/><meta data-rh="true" property="al:ios:app_name" content="Medium"/><meta data-rh="true" property="al:ios:app_store_id" content="828256236"/><meta data-rh="true" property="al:android:package" content="com.medium.reader"/><meta data-rh="true" property="fb:app_id" content="542599432471018"/><meta data-rh="true" property="og:site_name" content="Medium"/><meta data-rh="true" property="og:type" content="article"/><meta data-rh="true" property="article:published_time" content="2021-12-04T06:11:00.724Z"/><meta data-rh="true" name="title" content="Detection and Response for Linux Reflective Code Loading Malware— This is How | by Rex Guo | Confluera Engineering | Dec, 2021 | Medium"/><meta data-rh="true" property="og:title" content="Detection and Response for Linux Reflective Code Loading Malware— This is How"/><meta data-rh="true" property="twitter:title" content="Detection and Response for Linux Reflective Code Loading Malware— This is How"/><meta data-rh="true" name="twitter:site" content="@Medium"/><meta data-rh="true" name="twitter:app:url:iphone" content="medium://p/21f9c7d8a014"/><meta data-rh="true" property="al:android:url" content="medium://p/21f9c7d8a014"/><meta data-rh="true" property="al:ios:url" content="medium://p/21f9c7d8a014"/><meta data-rh="true" property="al:android:app_name" content="Medium"/><meta data-rh="true" name="description" content="In part 1 of this blog series, we discussed how reflective code loading using anonymous files works in Linux. In this blog, We will dive deeper into how to detect and respond to such behavior. We…"/><meta data-rh="true" property="og:description" content="Summary"/><meta data-rh="true" property="twitter:description" content="Summary"/><meta data-rh="true" property="og:url" content="https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014"/><meta data-rh="true" property="al:web:url" content="https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014"/><meta data-rh="true" property="og:image" content="https://miro.medium.com/max/1200/1*e7pB-lobhFELlsuHZB-1cQ.png"/><meta data-rh="true" name="twitter:image:src" content="https://miro.medium.com/max/1200/1*e7pB-lobhFELlsuHZB-1cQ.png"/><meta data-rh="true" name="twitter:card" content="summary_large_image"/><meta data-rh="true" property="article:author" content="https://rex-11050.medium.com"/><meta data-rh="true" name="twitter:creator" content="@Xiaofei_REX"/><meta data-rh="true" name="author" content="Rex Guo"/><meta data-rh="true" name="robots" content="index,follow,max-image-preview:large"/><meta data-rh="true" name="referrer" content="unsafe-url"/><meta data-rh="true" name="twitter:label1" content="Reading time"/><meta data-rh="true" name="twitter:data1" content="5 min read"/><link data-rh="true" rel="search" type="application/opensearchdescription+xml" title="Medium" href="/osd.xml"/><link data-rh="true" rel="apple-touch-icon" sizes="152x152" href="https://miro.medium.com/fit/c/152/152/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="120x120" href="https://miro.medium.com/fit/c/120/120/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="76x76" href="https://miro.medium.com/fit/c/76/76/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="apple-touch-icon" sizes="60x60" href="https://miro.medium.com/fit/c/60/60/1*sHhtYhaCe2Uc3IU0IgKwIQ.png"/><link data-rh="true" rel="mask-icon" href="https://cdn-static-1.medium.com/_/fp/icons/Medium-Avatar-500x500.svg" color="#171717"/><link data-rh="true" rel="preconnect" href="https://glyph.medium.com" crossOrigin=""/><link data-rh="true" rel="preconnect" href="https://logx.optimizely.com"/><link data-rh="true" id="glyph_preload_link" rel="preload" as="style" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" id="glyph_link" rel="stylesheet" type="text/css" href="https://glyph.medium.com/css/unbound.css"/><link data-rh="true" rel="author" href="https://rex-11050.medium.com"/><link data-rh="true" rel="canonical" href="https://medium.com/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014"/><link data-rh="true" rel="alternate" href="android-app://com.medium.reader/https/medium.com/p/21f9c7d8a014"/><link data-rh="true" rel="icon" href="https://miro.medium.com/1*m-R_BkNf1Qjr1YbyOIJY2w.png"/><script data-rh="true" type="application/ld+json">{"@context":"http:\u002F\u002Fschema.org","@type":"NewsArticle","image":["https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F1200\u002F1*e7pB-lobhFELlsuHZB-1cQ.png"],"url":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014","dateCreated":"2021-12-03T18:59:48.517Z","datePublished":"2021-12-03T18:59:48.517Z","dateModified":"2021-12-22T03:39:16.679Z","headline":"Detection and Response for Linux Reflective Code Loading Malware— This is How","name":"Detection and Response for Linux Reflective Code Loading Malware— This is How","description":"In part 1 of this blog series, we discussed how reflective code loading using anonymous files works in Linux. In this blog, We will dive deeper into how to detect and respond to such behavior. We…","identifier":"21f9c7d8a014","author":{"@type":"Person","name":"Rex Guo","url":"https:\u002F\u002Frex-11050.medium.com"},"creator":["Rex Guo"],"publisher":{"@type":"Organization","name":"Confluera Engineering","url":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering","logo":{"@type":"ImageObject","width":60,"height":60,"url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F120\u002F1*ZP9VuUzDajG62zTUd0fdpw.png"}},"mainEntityOfPage":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014"}</script><link rel="preload" href="https://cdn.optimizely.com/js/16180790160.js" as="script"><style type="text/css" data-fela-rehydration="382" data-fela-type="STATIC">html{box-sizing:border-box}*, *:before, *:after{box-sizing:inherit}body{margin:0;padding:0;text-rendering:optimizeLegibility;-webkit-font-smoothing:antialiased;color:rgba(0,0,0,0.8);position:relative;min-height:100vh}h1, h2, h3, h4, h5, h6, dl, dd, ol, ul, menu, figure, blockquote, p, pre, form{margin:0}menu, ol, ul{padding:0;list-style:none;list-style-image:none}main{display:block}a{color:inherit;text-decoration:none}a, button, input{-webkit-tap-highlight-color:transparent}img, svg{vertical-align:middle}button{background:transparent;overflow:visible}button, input, optgroup, select, textarea{margin:0}:root{--reach-tabs:1;--reach-menu-button:1}#speechify-root{font-family:Sohne, sans-serif}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="KEYFRAME">@-webkit-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@-moz-keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}@keyframes k1{from{filter:hue-rotate(0deg)}to{filter:hue-rotate(360deg)}}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE">.a{font-family:medium-content-sans-serif-font, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Oxygen, Ubuntu, Cantarell, "Open Sans", "Helvetica Neue", sans-serif}.b{font-weight:400}.c{background-color:rgba(255, 255, 255, 1)}.l{height:100vh}.m{width:100vw}.n{display:flex}.o{align-items:center}.p{justify-content:center}.q{height:25px}.r{fill:rgba(41, 41, 41, 1)}.s{display:block}.t{position:absolute}.u{top:0}.v{left:0}.w{right:0}.x{z-index:500}.y{box-shadow:0 4px 12px 0 rgba(0, 0, 0, 0.05)}.ah{max-width:1192px}.ai{min-width:0}.aj{width:100%}.ak{height:65px}.an{flex:1 0 auto}.ao{fill:rgba(25, 25, 25, 1)}.ap{border-left:1px solid rgba(204, 204, 204, 1)}.aq{margin-left:15px}.ar{margin-right:14px}.as{height:24px}.at{width:1px}.au{height:36px}.av{width:36px}.aw{flex:0 0 auto}.ax{border-top:1px solid rgba(230, 230, 230, 1)}.ay{display:none}.ba{height:54px}.bb{overflow:hidden}.bc{margin-right:40px}.bd{overflow:auto}.be{flex:0 1 auto}.bf{list-style-type:none}.bg{margin:0}.bh{line-height:40px}.bi{white-space:nowrap}.bj{overflow-x:auto}.bk{align-items:flex-start}.bl{margin-top:20px}.bm{padding-top:20px}.bn{height:80px}.bo{margin-bottom:0px}.bp{margin-top:0px}.bx{margin-left:auto}.by{margin-right:auto}.bz{max-width:728px}.ca{box-sizing:border-box}.cb{background:rgba(255, 255, 255, 1)}.cc{border:1px solid rgba(230, 230, 230, 1)}.cd{border-radius:4px}.ce{box-shadow:0 1px 4px rgba(230, 230, 230, 1)}.cf{max-height:100vh}.cg{overflow-y:auto}.ch{top:calc(100vh + 100px)}.ci{bottom:calc(100vh + 100px)}.cj{width:10px}.ck{pointer-events:none}.cl{word-break:break-word}.cm{word-wrap:break-word}.cn:after{display:block}.co:after{content:""}.cp:after{clear:both}.cq{max-width:680px}.cr{line-height:1.23}.cs{letter-spacing:0}.ct{font-style:normal}.cu{font-family:fell, Georgia, Cambria, "Times New Roman", Times, serif}.dp{margin-bottom:-0.27em}.dq{color:rgba(41, 41, 41, 1)}.dr{font-weight:inherit}.ds{margin-top:32px}.dt{justify-content:space-between}.dx{border-radius:50%}.dy{height:48px}.dz{width:48px}.ea{margin-left:8px}.eb{font-family:sohne, "Helvetica Neue", Helvetica, Arial, sans-serif}.ec{font-size:14px}.ed{line-height:20px}.ee{margin-bottom:2px}.eg{max-height:20px}.eh{text-overflow:ellipsis}.ei{display:-webkit-box}.ej{-webkit-line-clamp:1}.ek{-webkit-box-orient:vertical}.em{color:inherit}.en{fill:inherit}.eo{font-size:inherit}.ep{border:inherit}.eq{font-family:inherit}.er{letter-spacing:inherit}.es{padding:0}.ev:disabled{cursor:default}.ew:disabled{color:rgba(117, 117, 117, 1)}.ex:disabled{fill:rgba(117, 117, 117, 1)}.ey{font-size:13px}.ez{color:rgba(255, 255, 255, 1)}.fa{padding:0px 8px 1px}.fb{fill:rgba(255, 255, 255, 1)}.fc{background:rgba(132, 133, 133, 1)}.fd{border-color:rgba(132, 133, 133, 1)}.fg:disabled{cursor:inherit !important}.fh:disabled{opacity:0.3}.fi:disabled:hover{background:rgba(132, 133, 133, 1)}.fj:disabled:hover{border-color:rgba(132, 133, 133, 1)}.fk{border-radius:99em}.fl{border-width:1px}.fm{border-style:solid}.fn{display:inline-block}.fo{text-decoration:none}.fp{margin-left:4px}.fq{stroke:rgba(242, 242, 242, 1)}.fr{height:23px}.fs{width:23px}.fv{color:rgba(242, 242, 242, 1)}.fw{fill:rgba(242, 242, 242, 1)}.fx{background:rgba(242, 242, 242, 1)}.fy{border-color:rgba(242, 242, 242, 1)}.ge{color:rgba(117, 117, 117, 1)}.gf{align-items:flex-end}.gn{padding-right:1px}.go{fill:rgba(117, 117, 117, 1)}.gp path{fill:rgba(8, 8, 8, 1)}.gq{margin:0 6px 0 7px}.gr{max-width:1595px}.gx{clear:both}.gz{cursor:zoom-in}.ha{position:relative}.hb{z-index:auto}.hd{max-width:100%}.he{height:auto}.hf{margin-top:10px}.hg{text-align:center}.hj{text-decoration:underline}.hk{line-height:1.58}.hl{letter-spacing:-0.004em}.hm{font-family:charter, Georgia, Cambria, "Times New Roman", Times, serif}.ih{margin-bottom:-0.46em}.ii{font-weight:700}.ij{line-height:1.12}.ik{letter-spacing:-0.022em}.il{font-weight:500}.je{margin-bottom:-0.28em}.jk{background-color:rgba(242, 242, 242, 1)}.jl{padding:2px 4px}.jm{font-size:75%}.jn> strong{font-family:inherit}.jo{font-family:Menlo, Monaco, "Courier New", Courier, monospace}.jp{padding:20px}.jq{line-height:1.18}.jr{font-size:16px}.js{margin-top:-0.09em}.jt{margin-bottom:-0.09em}.ju{white-space:pre-wrap}.ka{opacity:0}.kb{will-change:opacity}.kc{position:fixed}.kd{width:188px}.ke{left:50%}.kf{transform:translateX(406px)}.kg{top:calc(65px + 54px + 14px)}.kj{will-change:opacity, transform}.kk{transform:translateY(159px)}.km{width:197px}.kn{flex-direction:column}.ko{margin-bottom:20px}.kp{padding-bottom:20px}.kq{padding-top:2px}.kr{max-height:120px}.ks{-webkit-line-clamp:6}.kt{padding-top:32px}.ku{flex-direction:row}.kv{justify-content:space-evenly}.kw{margin-right:20px}.lc{-webkit-user-select:none}.ld{outline:0}.le{border:0}.lf{user-select:none}.lg{cursor:pointer}.lh> svg{pointer-events:none}.ls button{text-align:left}.lt{margin-top:2px}.lu{fill:rgba(61, 61, 61, 1)}.lv{opacity:1}.lw{margin-top:1px}.lx{margin-top:40px}.ly{flex-wrap:wrap}.lz{margin-top:25px}.ma{margin-right:8px}.mb{margin-bottom:8px}.mc{line-height:22px}.md{border-radius:3px}.me{padding:5px 10px}.mf{max-width:155px}.mm{top:1px}.mp{margin-left:24px}.mq{margin-top:4px}.mr{margin-bottom:25px}.mt{margin-bottom:32px}.mu{min-height:80px}.mz{width:80px}.na{padding-left:102px}.nb{margin-bottom:6px}.nd{font-size:22px}.ne{line-height:28px}.nf{max-width:550px}.ng{max-width:450px}.nh{line-height:24px}.nj{padding-top:24px}.nk{margin-top:5px}.nl{height:40px}.nm{width:40px}.nn{margin-left:12px}.no{font-size:12px}.np{line-height:16px}.nq{letter-spacing:0.083em}.nr{text-transform:uppercase}.ns{padding-top:8px}.et:hover{cursor:pointer}.eu:hover{text-decoration:underline}.fe:hover{background:rgba(113, 114, 114, 1)}.ff:hover{border-color:rgba(113, 114, 114, 1)}.ft:hover{color:rgba(25, 25, 25, 1)}.fu:hover{fill:rgba(25, 25, 25, 1)}.fz:hover{background:rgba(242, 242, 242, 1)}.ga:hover{border-color:rgba(242, 242, 242, 1)}.gb:hover{cursor:wait}.gc:hover{color:rgba(242, 242, 242, 1)}.gd:hover{fill:rgba(242, 242, 242, 1)}.lk:hover{fill:rgba(117, 117, 117, 1)}.hc:focus{transform:scale(1.01)}.lj:focus{fill:rgba(117, 117, 117, 1)}.li:active{border-style:none}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (min-width: 1080px)">.d{display:none}.ag{margin:0 64px}.bw{padding:0 16px}.dl{font-size:48px}.dm{margin-top:0.55em}.dn{line-height:60px}.do{letter-spacing:-0.011em}.gm{margin-left:30px}.gw{margin-top:56px}.id{font-size:21px}.ie{margin-top:2em}.if{line-height:32px}.ig{letter-spacing:-0.003em}.ja{font-size:30px}.jb{margin-top:1.95em}.jc{line-height:36px}.jd{letter-spacing:0}.jj{margin-top:0.86em}.jz{margin-top:1.91em}.lb{margin-right:5px}.lr{margin-top:0px}.ml{margin-top:5px}.mo{display:inline-block}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 1079.98px)">.e{display:none}.gl{margin-left:30px}.hh{margin-left:auto}.hi{text-align:center}.lq{margin-top:0px}.mk{margin-top:5px}.mn{display:inline-block}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 903.98px)">.f{display:none}.gk{margin-left:30px}.lp{margin-top:0px}.mi{display:inline-block}.mj{margin-top:5px}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 727.98px)">.g{display:none}.al{height:56px}.am{display:flex}.az{display:block}.bq{margin-bottom:0px}.br{height:110px}.dv{margin-top:32px}.dw{flex-direction:column-reverse}.gi{margin-bottom:30px}.gj{margin-left:0px}.ln{margin-top:2px}.lo{margin-right:16px}.mh{display:inline-block}.ms{padding-top:0}.mv{margin-bottom:24px}.mw{align-items:center}.mx{width:102px}.my{position:relative}.nc{padding-left:0}.ni{margin-top:24px}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 551.98px)">.h{display:none}.ab{margin:0 24px}.bs{padding:0 8px 24px 8px}.cv{font-size:34px}.cw{margin-top:0.56em}.cx{line-height:42px}.cy{letter-spacing:-0.016em}.du{margin-top:32px}.ef{margin-bottom:0px}.gg{margin-bottom:30px}.gh{margin-left:0px}.gs{margin-top:40px}.hn{font-size:18px}.ho{margin-top:1.56em}.hp{line-height:28px}.hq{letter-spacing:-0.003em}.im{font-size:22px}.in{margin-top:1.2em}.io{letter-spacing:0}.jf{margin-top:0.67em}.jv{margin-top:1.41em}.kx{margin-left:8px}.ll{margin-top:2px}.lm{margin-right:16px}.mg{display:inline-block}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (min-width: 904px) and (max-width: 1079.98px)">.i{display:none}.af{margin:0 64px}.bv{padding:0 16px}.dh{font-size:48px}.di{margin-top:0.55em}.dj{line-height:60px}.dk{letter-spacing:-0.011em}.gv{margin-top:56px}.hz{font-size:21px}.ia{margin-top:2em}.ib{line-height:32px}.ic{letter-spacing:-0.003em}.iw{font-size:30px}.ix{margin-top:1.95em}.iy{line-height:36px}.iz{letter-spacing:0}.ji{margin-top:0.86em}.jy{margin-top:1.91em}.la{margin-right:5px}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (min-width: 728px) and (max-width: 903.98px)">.j{display:none}.ae{margin:0 48px}.bu{padding:0 16px}.dd{font-size:48px}.de{margin-top:0.55em}.df{line-height:60px}.dg{letter-spacing:-0.011em}.gu{margin-top:56px}.hv{font-size:21px}.hw{margin-top:2em}.hx{line-height:32px}.hy{letter-spacing:-0.003em}.is{font-size:30px}.it{margin-top:1.95em}.iu{line-height:36px}.iv{letter-spacing:0}.jh{margin-top:0.86em}.jx{margin-top:1.91em}.kz{margin-right:5px}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (min-width: 552px) and (max-width: 727.98px)">.k{display:none}.ac{margin:0 24px}.bt{padding:0 8px 24px 8px}.cz{font-size:34px}.da{margin-top:0.56em}.db{line-height:42px}.dc{letter-spacing:-0.016em}.gt{margin-top:40px}.hr{font-size:18px}.hs{margin-top:1.56em}.ht{line-height:28px}.hu{letter-spacing:-0.003em}.ip{font-size:22px}.iq{margin-top:1.2em}.ir{letter-spacing:0}.jg{margin-top:0.67em}.jw{margin-top:1.41em}.ky{margin-left:8px}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="print">.z{display:none}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="(orientation: landscape) and (max-width: 903.98px)">.el{max-height:none}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="(prefers-reduced-motion: no-preference)">.gy{transition:transform 300ms cubic-bezier(0.2, 0, 0.2, 1)}.kh{transition:opacity 200ms}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 1230px)">.ki{display:none}</style><style type="text/css" data-fela-rehydration="382" data-fela-type="RULE" media="all and (max-width: 1240px)">.kl{display:none}</style></head><body><div id="root"><div class="a b c"><div class="d e f g h i j k"></div><script>document.domain = document.domain;</script><div class="s"><nav class="s t u v w c x y z"><div><div class="s c"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="ak n o al am"><div class="n o an x"><a aria-label="Homepage" rel="noopener follow" href="https://medium.com/?source=post_page-----21f9c7d8a014-----------------------------------"><svg viewBox="0 0 1043.63 592.71" class="q ao"><g data-name="Layer 2"><g data-name="Layer 1"><path d="M588.67 296.36c0 163.67-131.78 296.35-294.33 296.35S0 460 0 296.36 131.78 0 294.34 0s294.33 132.69 294.33 296.36M911.56 296.36c0 154.06-65.89 279-147.17 279s-147.17-124.94-147.17-279 65.88-279 147.16-279 147.17 124.9 147.17 279M1043.63 296.36c0 138-23.17 249.94-51.76 249.94s-51.75-111.91-51.75-249.94 23.17-249.94 51.75-249.94 51.76 111.9 51.76 249.94"></path></g></g></svg></a><div class="ap aq ar as at s g"></div><div class="s g"><a href="/confluera-engineering?source=post_page-----21f9c7d8a014-----------------------------------" rel="noopener follow"><div class="au av s"><img alt="Confluera Engineering" class="" src="https://miro.medium.com/max/72/1*ZP9VuUzDajG62zTUd0fdpw.png" width="36" height="36"/></div></a></div></div><div class="s aw x"></div></div></div></div></div><div class="ax ay c az"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="ba bb n o"><div class="bc s aw"><a href="/confluera-engineering?source=post_page-----21f9c7d8a014-----------------------------------" rel="noopener follow"><div class="au av s"><img alt="Confluera Engineering" class="" src="https://miro.medium.com/max/72/1*ZP9VuUzDajG62zTUd0fdpw.png" width="36" height="36"/></div></a></div><div class="bd s be"><ul class="bf bg bh bi bj n bk g bl bm bn"></ul></div></div></div></div></div></div></nav><div class="bo bp ak s bq br"></div><article><section class="bs bt bu bv bw bx by aj bz ca s"></section><span class="s"></span><div><div><div class="t v ch ci cj ck"></div><section class="cl cm cn co cp"><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class=""><h1 id="578a" class="cr cs ct cu b cv cw cx cy cz da db dc dd de df dg dh di dj dk dl dm dn do dp dq"><strong class="dr">Detection and Response for Linux Reflective Code Loading Malware— This is How</strong></h1><div class="ds"><div class="n dt du dv dw"><div class="o n"><div><a href="https://rex-11050.medium.com/?source=post_page-----21f9c7d8a014-----------------------------------" rel="noopener follow"><img alt="Rex Guo" class="s dx dy dz" src="https://miro.medium.com/fit/c/96/96/1*oJssekvq2DlebIDSamLo-A.png" width="48" height="48"/></a></div><div class="ea aj s"><div class="n"><div style="flex:1"><span class="eb b ec ed dq"><div class="ee n o ef"><span class="eb b ec ed bb eg eh ei ej ek el dq"><a class="em en eo ep eq er dr es bg et eu ev ew ex" href="https://rex-11050.medium.com/?source=post_page-----21f9c7d8a014-----------------------------------" rel="noopener follow">Rex Guo</a></span><div class="ea n"><span><button class="eb b ey ed ez fa fb fc fd fe ff et fg fh fi fj fk fl fm ca fn fo">Follow</button></span><div class="fp s"><div><div><div class="fn" role="tooltip" aria-hidden="false"><div class="s"><span><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fsubscriptions%2Fnewsletters%2Fbf1ea97912c3&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014&amp;newsletterV3=138f8633036e&amp;newsletterV3Id=bf1ea97912c3&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_page-----21f9c7d8a014---------------------subscribe_user--------------"><button class="eb b ec ed fv es fw fx fy fz ga gb gc gd fg fh fi fj fk fl fm ca fn fo" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fq fr fs"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div></span></div></div><span class="eb b ec ed ge"><span class="eb b ec ed bb eg eh ei ej ek el ge"><div><a class="em en eo ep eq er dr es bg et eu ev ew ex" rel="noopener follow" href="/confluera-engineering/detection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014?source=post_page-----21f9c7d8a014-----------------------------------"><span>Dec 3</span></a> <!-- -->·<!-- --> <!-- -->5<!-- --> min read</div></span></span></div></div><div class="n gf gg gh gi gj gk gl gm z"><div class="n o"><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gq s"></div></div></div></div></div></div><figure class="gs gt gu gv gw gx bx by paragraph-image"><div role="button" tabindex="0" class="gy gz ha hb aj hc"><div class="bx by gr"><img alt="" class="aj hd he" src="https://miro.medium.com/max/1400/1*e7pB-lobhFELlsuHZB-1cQ.png" width="700" height="338" role="presentation"/></div></div><figcaption class="hf hg bz bx by hh hi eb b ec ed ge">Human fighting with virus. source: <a class="em hj" href="http://www.newyorker.com" rel="noopener ugc nofollow" target="_blank">www.newyorker.com</a></figcaption></figure><p id="d391" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq"><strong class="hm ii">Summary</strong></p><p id="b73a" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">In <a class="em hj" href="https://rex-11050.medium.com/reflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301" rel="noopener">part 1</a> of this blog series, we discussed how reflective code loading using anonymous files works in Linux. In this blog, We will dive deeper into how to detect and respond to such behavior. We will also discuss legitimate usage of the anonymous file.</p><p id="3a2a" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">This blog is co-authored with <a class="em hj" rel="noopener" href="/@joel.schopp">Joel Schopp</a>.</p><h1 id="47a4" class="ij ik ct eb il im in hp io ip iq ht ir is it iu iv iw ix iy iz ja jb jc jd je dq"><strong class="dr">How to Detect Anonymous File Execution?</strong></h1><p id="6f77" class="hk hl ct hm b hn jf hp hq hr jg ht hu hv jh hx hy hz ji ib ic id jj if ig ih cl dq">The ideal scenario is when reflective code loading happens, security teams get notified in real-time and can examine the application behaviors. If the security team does not have such real-time detection capabilities or have to manually respond to such threats, here are a few things the team can do.</p><p id="42ec" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq"><code class="jk jl jm jn jo b">lsof</code> is a utility to list open files in linux. It shows the list of open file descriptors. If the anonymous file is created.</p><pre class="gs gt gu gv gw jp fx bj"><span id="ffcd" class="dq jq ik ct jo b jr js jt s ju">$ sudo lsof | head -n 5</span><span id="0562" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME</span><span id="32f1" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">systemd 1 root cwd DIR 8,1 4096 2 /</span><span id="15ab" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">systemd 1 root rtd DIR 8,1 4096 2 /</span><span id="2dfa" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">systemd 1 root txt REG 8,1 1616248 3675243 /lib/systemd/systemd</span><span id="1ea6" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">systemd 1 root mem REG 8,1 1700792 3670102 /lib/x86_64-linux-gnu/libm-2.27.so</span></pre><p id="3f14" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq"><code class="jk jl jm jn jo b">lsof</code>is able to list some process attributes of the process that owns the file and also file attributes related to the file. To filter out reflective code loading files, we can run</p><pre class="gs gt gu gv gw jp fx bj"><span id="a3d3" class="dq jq ik ct jo b jr js jt s ju">$ sudo lsof | grep memfd<br/>…</span><span id="88d8" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">snapd-gli 2519 2522 alice 6u REG 0,1 67108864 143494 /memfd:pulseaudio (deleted)</span><span id="5b13" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gsd-media 2743 alice DEL REG 0,1 146019 /memfd:pulseaudio</span><span id="7063" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gsd-media 2743 alice DEL REG 0,1 143494 /memfd:pulseaudio</span><span id="0558" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gsd-media 2743 alice DEL REG 0,1 145962 /memfd:pulseaudio</span><span id="35e0" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gmain 2743 2801 alice DEL REG 0,1 146019 /memfd:pulseaudio</span><span id="58ee" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gmain 2743 2801 alice DEL REG 0,1 143494 /memfd:pulseaudio</span><span id="8600" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gmain 2743 2801 alice DEL REG 0,1 145962 /memfd:pulseaudio</span><span id="8488" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gdbus 2743 2802 alice DEL REG 0,1 146019 /memfd:pulseaudio</span><span id="2908" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gdbus 2743 2802 alice DEL REG 0,1 143494 /memfd:pulseaudio</span><span id="b515" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">gdbus 2743 2802 alice DEL REG 0,1 145962 /memfd:pulseaudio</span><span id="9b8e" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">dconf\x20 2743 2816 alice DEL REG 0,1 146019 /memfd:pulseaudio</span><span id="9f47" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">dconf\x20 2743 2816 alice DEL REG 0,1 143494 /memfd:pulseaudio</span><span id="0e9b" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">dconf\x20 2743 2816 alice DEL REG 0,1 145962 /memfd:pulseaudio</span><span id="c4ba" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">4 40215 alice cwd DIR 8,1 4096 403246 /home/alice/memfd_create</span><span id="ddf4" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">4 40215 alice txt REG 0,1 23976 16703995 /memfd:a (deleted)</span></pre><p id="4c70" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">This particular entry listed above looks interesting:</p><pre class="gs gt gu gv gw jp fx bj"><span id="8e92" class="dq jq ik ct jo b jr js jt s ju">COMMAND PID TID USER FD TYPE DEVICE SIZE/OFF NODE NAME</span><span id="8ffb" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">4 40215 alice txt REG 0,1 23976 16703995 /memfd:a (deleted)</span></pre><p id="af4a" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">The <code class="jk jl jm jn jo b">NAME</code>field represents the path of the file and we can see the anonymous files can be identified by <code class="jk jl jm jn jo b">/memfd:</code> .</p><p id="863c" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">The <code class="jk jl jm jn jo b">a</code> in<code class="jk jl jm jn jo b">/memfd:a (deleted)</code>is from the argument we gave when making the <code class="jk jl jm jn jo b">memfd_create()</code> syscall. This field can also be set freely by the application. Please refer to the first part of our blog for the source code of the demo program.</p><p id="4274" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">The <code class="jk jl jm jn jo b">FD</code> column indicates that this is a<code class="jk jl jm jn jo b">TXT</code> type, i.e., it is a binary being executed.</p><p id="0c13" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">These indicators above told us that it is a reflective code loading using anonymous files. What is interesting is the COMMAND column shows <code class="jk jl jm jn jo b">4</code>. This is because when the anonymous file is executed by the child process, the file descriptor is number 4. Using a number as the command for a process is unusual and can be a suspicious indicator. However, one should be aware that an attacker can use <code class="jk jl jm jn jo b">prctl</code> to change the command field of a process to something that looks legitimate after executing the anonymous file.</p><h1 id="7fc2" class="ij ik ct eb il im in hp io ip iq ht ir is it iu iv iw ix iy iz ja jb jc jd je dq"><strong class="dr">How to Respond to Reflective Code Loading?</strong></h1><p id="ccd8" class="hk hl ct hm b hn jf hp hq hr jg ht hu hv jh hx hy hz ji ib ic id jj if ig ih cl dq">If we identify reflective code loading, the next step is to analyze whether the application behaves maliciously and whether it is a legitimate ELF binary. The former can be achieved with real-time detection tools. For the latter, we can dump the ELF binary directly from the <code class="jk jl jm jn jo b">/proc</code>file system. Given the process id that owns the reflectively loaded file is 40125, we can run:</p><pre class="gs gt gu gv gw jp fx bj"><span id="0874" class="dq jq ik ct jo b jr js jt s ju">$ cat /proc/40215/exe &gt; /tmp/40215_elf</span><span id="f382" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">$ file /tmp/40215_elf</span><span id="9392" class="dq jq ik ct jo b jr jv jw jx jy jz jt s ju">40215_elf: ELF 64-bit LSB shared object, x86–64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86–64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=1bc82caf2f0c662f06e0c338e4d4db7d9d610cd0, stripped</span></pre><p id="9781" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">Since we got the full ELF file, one can analyze it with the traditional binary analysis tool chain.</p><h1 id="d859" class="ij ik ct eb il im in hp io ip iq ht ir is it iu iv iw ix iy iz ja jb jc jd je dq"><strong class="dr">Legitimate use cases of Reflective Code Loading</strong></h1><p id="84d2" class="hk hl ct hm b hn jf hp hq hr jg ht hu hv jh hx hy hz ji ib ic id jj if ig ih cl dq">Whenever we discuss attackers’ behaviors, it is always necessary to understand the full picture. I.e., What are the legitimate use cases?</p><p id="e6db" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">In fact, reflective code loading has been used to fix a docker security vulnerability. CVE-2019–5736 is a runc vulnerability which allows the attacker to break out of a container. This blog will summarize the vulnerability and focus on discussing how reflective code loading is used to patch security vulnerabilities. For in-depth details of the vulnerability, we recommend this <a class="em hj" href="https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/" rel="noopener ugc nofollow" target="_blank">blog</a> from Uint42 researchers.</p><p id="19b7" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">CVE-2019–5736 allows an attacker to overwrite the host runc binary through symbolic links. The container runtime will be tricked to open the symbolic link in the <code class="jk jl jm jn jo b">/proc</code> file system which points to the runc binary. Then the attacker within the container and create a handle to the runc file on the host and therefore overwrite the binary after the runc process exits.</p><p id="8ad6" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers. To do this LXC creates an anonymous, in-memory file using the <code class="jk jl jm jn jo b">memfd_create()</code> system call and copies itself into the temporary in-memory file, which is then sealed to prevent further modifications. LXC then executes this sealed, in-memory file instead of the original on-disk binary. Any compromising write operations from a privileged container to the host LXC binary will then write to the temporary in-memory binary and not to the host binary on-disk, preserving the integrity of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, writes to this will also fail.</p><p id="f06a" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">As we can see, certain applications can use reflective code loading to fix security vulnerabilities and it is essential to understand your operating environments during the analysis.</p><h1 id="bdef" class="ij ik ct eb il im in hp io ip iq ht ir is it iu iv iw ix iy iz ja jb jc jd je dq"><strong class="dr">Conclusion</strong></h1><p id="abd8" class="hk hl ct hm b hn jf hp hq hr jg ht hu hv jh hx hy hz ji ib ic id jj if ig ih cl dq">We discussed the important artifacts to examine when detecting and responding to reflective code loading. We also described legitimate usages of such reflective code loading.</p><p id="7d82" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">Understanding the application behaviors and your own operating environment are critical to investigate and detect such techniques. It will be much more beneficial if one can obtain a sequence of execution behaviors and analyze them in a holistic manner.</p><p id="f0e1" class="hk hl ct hm b hn ho hp hq hr hs ht hu hv hw hx hy hz ia ib ic id ie if ig ih cl dq">Feel free to reach out with any questions you may have through <a class="em hj" href="https://www.confluera.com/contact" rel="noopener ugc nofollow" target="_blank">contact</a>.</p></div></div></section></div></div></article><div class="ka ck kc kj aj kk u kh kl" data-test-id="post-sidebar"><div class="n p"><div class="ab ac ae af ag ah ai aj"><div class="km n kn"><div class="ck"><div><div class="ko s"><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" href="/confluera-engineering?source=post_sidebar--------------------------post_sidebar--------------" rel="noopener follow"><h2 class="eb il jr ed cs dq cl">Confluera Engineering</h2></a><div class="kp kq s"><p class="eb b ec ed bb kr eh ei ks ek el ge">Confluera Engineering Blog</p></div><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div><div class="kt ax aj n o ku kv"><div class="kw n"><div class="n o ku"><div class="ha kx ky kz la lb lc"><span><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2F21f9c7d8a014&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_sidebar-----21f9c7d8a014---------------------clap_sidebar--------------"><div class="es ld le lf lg lh li lc r lj lk"><svg width="29" height="29" aria-label="clap"><g fill-rule="evenodd"><path d="M13.74 1l.76 2.97.76-2.97zM16.82 4.78l1.84-2.56-1.43-.47zM10.38 2.22l1.84 2.56-.41-3.03zM22.38 22.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M9.1 22.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L6.1 15.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L6.4 11.26l-1.18-1.18a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L11.96 14a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L8.43 9.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L20.63 15c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM13 6.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 23 23.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s ll lm ln lo lp lq lr"><div class="ls"><p class="eb b ec ed ge"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex">2<!-- --> </button></p></div></div></div></div><div class="lt kw s"><div class="n"><button class="lg le es"><div class="n o ku"><div class="n o"><div><div class="fn" role="tooltip" aria-hidden="false"><svg width="25" height="25" aria-label="responses" class="lu lv lg lk"><path d="M19.07 21.12a6.33 6.33 0 0 1-3.53-1.1 7.8 7.8 0 0 1-.7-.52c-.77.21-1.57.32-2.38.32-4.67 0-8.46-3.5-8.46-7.8C4 7.7 7.79 4.2 12.46 4.2c4.66 0 8.46 3.5 8.46 7.8 0 2.06-.85 3.99-2.4 5.45a6.28 6.28 0 0 0 1.14 2.59c.15.21.17.48.06.7a.69.69 0 0 1-.62.38h-.03zm0-1v.5l.03-.5h-.03zm-3.92-1.64l.21.2a6.09 6.09 0 0 0 3.24 1.54 7.14 7.14 0 0 1-.83-1.84 5.15 5.15 0 0 1-.16-.75 2.4 2.4 0 0 1-.02-.29v-.23l.18-.15a6.6 6.6 0 0 0 2.3-4.96c0-3.82-3.4-6.93-7.6-6.93-4.19 0-7.6 3.11-7.6 6.93 0 3.83 3.41 6.94 7.6 6.94.83 0 1.64-.12 2.41-.35l.28-.08z" fill-rule="evenodd"></path></svg></div></div></div></div></button></div></div><div class="lw s"></div></div></div></div></div></div></div></div><div class="ka ck kb kc kd ke kf kg kh ki"></div><div><div class="lx gx n kn p"><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class="n ly"></div><div class="n o ly"></div><div class="lz s"><ul class="es bg"><li class="fn bf ma mb"><a href="https://medium.com/confluera-engineering/tagged/cybersecurity" class="eb b ey mc ge md me fo s fx">Cybersecurity</a></li><li class="fn bf ma mb"><a href="https://medium.com/confluera-engineering/tagged/cloud-security" class="eb b ey mc ge md me fo s fx">Cloud Security</a></li><li class="fn bf ma mb"><a href="https://medium.com/confluera-engineering/tagged/mitre-attack" class="eb b ey mc ge md me fo s fx">Mitre Attack</a></li><li class="fn bf ma mb"><a href="https://medium.com/confluera-engineering/tagged/malware" class="eb b ey mc ge md me fo s fx">Malware</a></li><li class="fn bf ma mb"><a href="https://medium.com/confluera-engineering/tagged/detection" class="eb b ey mc ge md me fo s fx">Detection</a></li></ul></div><div class="lz s"><div class="n dt z"><div class="n o ku"><div class="mf s"><span class="s mg mh mi e d"><div class="n o ku"><div class="ha kx ky kz la lb lc"><span><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2F21f9c7d8a014&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_actions_footer-----21f9c7d8a014---------------------clap_footer--------------"><div class="es ld le lf lg lh li lc r lj lk"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s ll lm ln lo mj mk ml"><div class="ha mm ls"><p class="eb b ec ed dq"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex">2<span class="s h g f mn mo"> <!-- -->claps</span></button><span class="s h g f mn mo"></span></p></div></div></div></span><span class="s h g f mn mo"><div class="n o ku"><div class="ha kx ky kz la lb lc"><span><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=https%3A%2F%2Fmedium.com%2F_%2Fvote%2Fconfluera-engineering%2F21f9c7d8a014&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=post_actions_footer-----21f9c7d8a014---------------------clap_footer--------------"><div class="es ld le lf lg lh li lc r lj lk"><svg width="25" height="25" viewBox="0 0 25 25" aria-label="clap"><g fill-rule="evenodd"><path d="M11.74 0l.76 2.97.76-2.97zM14.81 3.78l1.84-2.56-1.42-.47zM8.38 1.22l1.84 2.56L9.8.75zM20.38 21.62a5.11 5.11 0 0 1-3.16 1.61l.49-.45c2.88-2.89 3.45-5.98 1.69-9.21l-1.1-1.94-.96-2.02c-.31-.67-.23-1.18.25-1.55a.84.84 0 0 1 .66-.16c.34.05.66.28.88.6l2.85 5.02c1.18 1.97 1.38 5.12-1.6 8.1M7.1 21.1l-5.02-5.02a1 1 0 0 1 .7-1.7 1 1 0 0 1 .72.3l2.6 2.6a.44.44 0 0 0 .63-.62L4.1 14.04l-1.75-1.75a1 1 0 1 1 1.41-1.41l4.15 4.15a.44.44 0 0 0 .63 0 .44.44 0 0 0 0-.62L4.4 10.26 3.22 9.08a1 1 0 0 1 0-1.4 1.02 1.02 0 0 1 1.41 0l1.18 1.16L9.96 13a.44.44 0 0 0 .62 0 .44.44 0 0 0 0-.63L6.43 8.22a.99.99 0 0 1-.3-.7.99.99 0 0 1 .3-.7 1 1 0 0 1 1.41 0l7 6.98a.44.44 0 0 0 .7-.5l-1.35-2.85c-.31-.68-.23-1.19.25-1.56a.85.85 0 0 1 .66-.16c.34.06.66.28.88.6L18.63 14c1.57 2.88 1.07 5.54-1.55 8.16a5.62 5.62 0 0 1-5.06 1.65 9.35 9.35 0 0 1-4.93-2.72zM11 5.98l2.56 2.56c-.5.6-.56 1.41-.15 2.28l.26.56-4.25-4.25a.98.98 0 0 1-.12-.45 1 1 0 0 1 .29-.7 1.02 1.02 0 0 1 1.41 0zm8.89 2.06c-.38-.56-.9-.92-1.49-1.01a1.74 1.74 0 0 0-1.34.33c-.38.29-.61.65-.71 1.06a2.1 2.1 0 0 0-1.1-.56 1.78 1.78 0 0 0-.99.13l-2.64-2.64a1.88 1.88 0 0 0-2.65 0 1.86 1.86 0 0 0-.48.85 1.89 1.89 0 0 0-2.67-.01 1.87 1.87 0 0 0-.5.9c-.76-.75-2-.75-2.7-.04a1.88 1.88 0 0 0 0 2.66c-.3.12-.61.29-.87.55a1.88 1.88 0 0 0 0 2.66l.62.62a1.88 1.88 0 0 0-.9 3.16l5.01 5.02c1.6 1.6 3.52 2.64 5.4 2.96a7.16 7.16 0 0 0 1.18.1c1.03 0 2-.25 2.9-.7A5.9 5.9 0 0 0 21 22.24c3.34-3.34 3.08-6.93 1.74-9.17l-2.87-5.04z"></path></g></svg></div></a></span></div><div class="s ll lm ln lo mj mk ml"><div class="ls"><p class="eb b ec ed ge"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex">2<!-- --> </button></p></div></div></div></span></div><div class="mp n"><div class="n"><button class="lg le es"><div class="n o ku"><div class="n o"><div><div class="fn" role="tooltip" aria-hidden="false"><svg width="29" height="29" aria-label="responses" class="lu lv lg lk mq"><path d="M21.27 20.06a9.04 9.04 0 0 0 2.75-6.68C24.02 8.21 19.67 4 14.1 4S4 8.21 4 13.38c0 5.18 4.53 9.39 10.1 9.39 1 0 2-.14 2.95-.41.28.25.6.49.92.7a7.46 7.46 0 0 0 4.19 1.3c.27 0 .5-.13.6-.35a.63.63 0 0 0-.05-.65 8.08 8.08 0 0 1-1.29-2.58 5.42 5.42 0 0 1-.15-.75zm-3.85 1.32l-.08-.28-.4.12a9.72 9.72 0 0 1-2.84.43c-4.96 0-9-3.71-9-8.27 0-4.55 4.04-8.26 9-8.26 4.95 0 8.77 3.71 8.77 8.27 0 2.25-.75 4.35-2.5 5.92l-.24.21v.32a5.59 5.59 0 0 0 .21 1.29c.19.7.49 1.4.89 2.08a6.43 6.43 0 0 1-2.67-1.06c-.34-.22-.88-.48-1.16-.74z"></path></svg></div></div></div></div></button></div></div></div><div class="n o"><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on twitter"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm4.95-16.17a2.67 2.67 0 0 0-4.6 1.84c0 .2.03.41.05.62a7.6 7.6 0 0 1-5.49-2.82 3 3 0 0 0-.38 1.34c.02.94.49 1.76 1.2 2.23a2.53 2.53 0 0 1-1.2-.33v.04c0 1.28.92 2.36 2.14 2.62-.23.05-.46.08-.71.1l-.21-.02-.27-.03a2.68 2.68 0 0 0 2.48 1.86A5.64 5.64 0 0 1 9 19.38a7.62 7.62 0 0 0 4.1 1.19c4.9 0 7.58-4.07 7.57-7.58v-.39c.52-.36.97-.83 1.33-1.38-.48.23-1 .37-1.53.43.56-.33.96-.86 1.15-1.48-.5.31-1.07.53-1.67.66z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on facebook"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zm-1.23-6.03V15.6H12v-2.15h1.77v-1.6C13.77 10 14.85 9 16.42 9c.75 0 1.4.06 1.58.08v1.93h-1.09c-.85 0-1.02.43-1.02 1.05v1.38h2.04l-.27 2.15H15.9V21l-2.13-.03z" fill="#292929"></path></svg></button></div></div></div><div class="gn s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex" aria-label="Share on linkedin"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M27 15a12 12 0 1 1-24 0 12 12 0 0 1 24 0zm-14.61 5v-7.42h-2.26V20h2.26zm-1.13-8.44c.79 0 1.28-.57 1.28-1.28-.02-.73-.5-1.28-1.26-1.28-.78 0-1.28.55-1.28 1.28 0 .71.49 1.28 1.25 1.28h.01zM15.88 20h-2.5s.04-6.5 0-7.17h2.5v1.02l-.02.02h.02v-.02a2.5 2.5 0 0 1 2.25-1.18c1.64 0 2.87 1.02 2.87 3.22V20h-2.5v-3.83c0-.97-.36-1.62-1.26-1.62-.69 0-1.1.44-1.28.87-.06.15-.08.36-.08.58v4z" fill="#292929"></path></svg></button></div></div></div><div class="s aw"><div><div class="fn" role="tooltip" aria-hidden="false"><button class="em en eo ep eq er dr es bg et ft fu ev ew ex"><svg width="30" height="30" viewBox="0 0 30 30" fill="none" class="go gp"><path fill-rule="evenodd" clip-rule="evenodd" d="M15 27a12 12 0 1 0 0-24 12 12 0 0 0 0 24zM9.29 16.28c-.2.36-.29.75-.29 1.17a2.57 2.57 0 0 0 .78 1.84l1.01.96c.53.5 1.17.75 1.92.75s1.38-.25 1.9-.75l1.2-1.15.75-.71.51-.5a2.51 2.51 0 0 0 .72-2.34.7.7 0 0 0-.03-.18 2.74 2.74 0 0 0-.23-.5v-.02l-.08-.14-.02-.03-.02-.01a.33.33 0 0 0-.07-.1c0-.02-.01-.03-.03-.05a.2.2 0 0 0-.03-.03l-.03-.04v-.01l-.02-.03-.04-.03a.85.85 0 0 1-.13-.13l-.43-.42-.06.06-.9.84-.05.09a.26.26 0 0 0-.03.1l.37.38c.04.03.08.07.1.11l.01.01.01.03.02.01.04.1.03.04.06.1v.02l.01.02c.03.1.05.2.05.33a1 1 0 0 1-.12.49c-.07.13-.15.22-.22.29l-.88.85-.61.57-.95.92c-.22.2-.5.3-.82.3-.31 0-.58-.1-.8-.3l-.98-.96a1.15 1.15 0 0 1-.3-.42 1.4 1.4 0 0 1-.04-.35c0-.1.01-.2.04-.3a1 1 0 0 1 .3-.49l1.5-1.46v-.24c0-.21 0-.42.04-.6a3.5 3.5 0 0 1 .92-1.72c-.41.1-.78.32-1.11.62l-.01.02-.01.01-2.46 2.33c-.2.21-.35.4-.44.6h-.02c0 .02 0 .02-.02.02v.02l-.01.01zm3.92-1.8a1.83 1.83 0 0 0 .02.97c0 .06 0 .13.02.19.06.17.14.34.22.5v.02l.06.12.02.03.01.02.08.1c0 .02.02.03.04.05l.08.1h.01c0 .01 0 .03.02.03l.14.14.43.41.08-.06.88-.84.05-.09.03-.1-.36-.37a.4.4 0 0 1-.12-.13v-.02l-.02-.02-.05-.09-.04-.04-.04-.1v-.02l-.02-.02a1.16 1.16 0 0 1 .06-.82c.09-.14.16-.24.23-.3l.9-.85.6-.58.93-.92c.23-.2.5-.3.82-.3a1.2 1.2 0 0 1 .82.3l1 .96c.13.15.23.29.28.42a1.43 1.43 0 0 1 0 .66c-.03.17-.12.33-.26.48l-1.54 1.45.02.25a3.28 3.28 0 0 1-.96 2.32 2.5 2.5 0 0 0 1.1-.62l.01-.01 2.46-2.34c.19-.2.35-.4.46-.6l.02-.02v-.02h.01a2.45 2.45 0 0 0 .21-1.82 2.53 2.53 0 0 0-.7-1.19l-1-.96a2.68 2.68 0 0 0-1.91-.75c-.75 0-1.38.25-1.9.76l-1.2 1.14-.76.72-.5.49c-.4.37-.64.83-.74 1.37z" fill="#292929"></path></svg></button></div></div></div><div class="gq s aw"></div></div></div></div></div></div><div><div class="n p"><div class="ab ac ae af ag cq ai aj"><div class="kt ax mr lz s ms z"><div class="s g"><div class="kt s"></div><div class="mt mu s ha"><span class="s mv am mw"><div class="s t mx my"><a href="https://medium.com/confluera-engineering?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow"><img alt="Confluera Engineering" class="cd mz bn" src="https://miro.medium.com/fit/c/160/160/1*7tbfIVWetsgd4ZTsKMoyEA.png" width="80" height="80"/></a></div><span class="s"><div class="na nb n nc"><div class="aj n o dt"><h2 class="eb il nd ne cs dq"><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" href="/confluera-engineering?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow">Confluera Engineering</a></h2><div class="s g"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></span></span><div class="na nf s nc az"><div class="ng s"><p class="eb b jr nh ge">Confluera engineering is not perfect, but we pursue perfection. We write our journey here.</p></div><div class="ay ni az"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div></div></div><div class="ay az"><div class="nj s"><div class="n ku"><div class="nk s"><a href="https://rex-11050.medium.com/?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow"><img alt="Rex Guo" class="s dx nl nm" src="https://miro.medium.com/fit/c/80/80/1*oJssekvq2DlebIDSamLo-A.png" width="40" height="40"/></a></div><div class="nn s"><p class="eb b no np nq ge nr">Written by</p><div class="n ku"><h2 class="eb il jr ed cs dq"><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" href="https://rex-11050.medium.com/?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow">Rex Guo</a></h2><div class="nn n"><span><button class="eb b ey ed ez fa fb fc fd fe ff et fg fh fi fj fk fl fm ca fn fo">Follow</button></span><div class="fp s"><div><div><div class="fn" role="tooltip" aria-hidden="false"><div class="s"><span><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" rel="noopener follow" href="/m/signin?actionUrl=%2F_%2Fapi%2Fsubscriptions%2Fnewsletters%2Fbf1ea97912c3&amp;operation=register&amp;redirect=https%3A%2F%2Fmedium.com%2Fconfluera-engineering%2Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014&amp;newsletterV3=138f8633036e&amp;newsletterV3Id=bf1ea97912c3&amp;user=Rex+Guo&amp;userId=138f8633036e&amp;source=follow_footer-----21f9c7d8a014---------------------subscribe_user--------------"><button class="eb b ec ed fv es fw fx fy fz ga gb gc gd fg fh fi fj fk fl fm ca fn fo" aria-label="Subscribe"><svg width="23" height="23" viewBox="0 0 23 23" fill="none" class="fq fr fs"><path stroke-linecap="round" d="M14.58 6.89h3.92M16.39 9V5.08M11.62 7.04H7a1 1 0 0 0-1 1v7.13a1 1 0 0 0 1 1h8.54a1 1 0 0 0 1-1v-3.21"></path><path d="M6 8.44l5.27 3.87 2.81-2.11" stroke-linecap="round"></path></svg></button></a></span></div></div></div></div></div></div></div><div class="ns s"><p class="eb b ec ed ge">Redefining security at Lacework | Ex-Cisco Acquisition | Ex-Intel Security | Blackhat/Defcon speaker | @Xiaofei_REX</p></div></div></div><div class="nj s"><div class="n ku"><a href="https://medium.com/confluera-engineering?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow"><img alt="Confluera Engineering" class="cd nm nl" src="https://miro.medium.com/fit/c/80/80/1*7tbfIVWetsgd4ZTsKMoyEA.png" width="40" height="40"/></a><div class="nn s"><div class="n ku"><h2 class="eb il jr ed cs dq"><a class="em en eo ep eq er dr es bg et ft fu ev ew ex" href="/confluera-engineering?source=follow_footer-----21f9c7d8a014-----------------------------------" rel="noopener follow">Confluera Engineering</a></h2><div class="nn s"><div class="fn" aria-hidden="false" aria-describedby="collectionFollowPopover" aria-labelledby="collectionFollowPopover"></div></div></div><div class="ns s"><p class="eb b ec ed ge">Confluera engineering is not perfect, but we pursue perfection. We write our journey here.</p></div></div></div></div></div></div></div></div></div><div class="s cb z"><div class="n p"><div class="ab ac ae af ag ah ai aj"></div></div></div></div></div></div></div></div></div><script>window.__BUILD_ID__="main-20211223-174047-cbedb4c9dd"</script><script>window.__GRAPHQL_URI__ = "https://medium.com/_/graphql"</script><script>window.__PRELOADED_STATE__ = {"algolia":{"queries":{}},"auroraPage":{"isAuroraPageEnabled":false},"bookReader":{"assets":{},"reader":{"currentAsset":null,"currentGFI":null,"settingsPanelIsOpen":false,"settings":{"fontFamily":"CHARTER","fontScale":"M","publisherStyling":false,"textAlignment":"start","theme":"White","lineSpacing":0,"wordSpacing":0,"letterSpacing":0},"internalNavCounter":0,"currentSelection":null}},"cache":{"experimentGroupSet":true,"reason":"","group":"enabled","tags":["group-edgeCachePosts","post-21f9c7d8a014","user-138f8633036e","collection-7b3e2b415688"],"serverVariantState":"44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a","middlewareEnabled":true,"cacheStatus":"DYNAMIC","shouldUseCache":true,"vary":[]},"client":{"hydrated":false,"isUs":false,"isNativeMedium":false,"isSafariMobile":false,"isSafari":false,"routingEntity":{"type":"DEFAULT","explicit":false},"viewerIsBot":false},"debug":{"requestId":"d623be0d-0b62-407a-b7a4-b1f752c6ad34","hybridDevServices":[],"showBookReaderDebugger":false,"originalSpanCarrier":{"ot-tracer-spanid":"2b379ece493e9094","ot-tracer-traceid":"7f2adb24cbf9a6af","ot-tracer-sampled":"true"}},"multiVote":{"clapsPerPost":{}},"navigation":{"branch":{"show":null,"hasRendered":null,"blockedByCTA":false},"hideGoogleOneTap":false,"hasRenderedGoogleOneTap":null,"hasRenderedAlternateUserBanner":null,"currentLocation":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014","host":"medium.com","hostname":"medium.com","referrer":"","hasSetReferrer":false,"susiModal":{"step":null,"operation":"register"},"postRead":false,"queryString":"","currentHash":""},"tracing":{},"userOnboarding":{"showFirstBookPurchaseTooltip":false},"config":{"nodeEnv":"production","version":"main-20211223-174047-cbedb4c9dd","isTaggedVersion":false,"isMediumDotApp":false,"isMediumDotAppVariant":false,"target":"production","productName":"Medium","publicUrl":"https:\u002F\u002Fcdn-client.medium.com\u002Flite","authDomain":"medium.com","authGoogleClientId":"216296035834-k1k6qe060s2tp2a2jam4ljdcms00sttg.apps.googleusercontent.com","favicon":"production","glyphUrl":"https:\u002F\u002Fglyph.medium.com","branchKey":"key_live_ofxXr2qTrrU9NqURK8ZwEhknBxiI6KBm","lightStep":{"name":"lite-web","host":"lightstep.medium.systems","token":"ce5be895bef60919541332990ac9fef2","appVersion":"main-20211223-174047-cbedb4c9dd","disableClientReporting":true},"algolia":{"appId":"MQ57UUUQZ2","apiKeySearch":"394474ced050e3911ae2249ecc774921","indexPrefix":"medium_","host":"-dsn.algolia.net"},"recaptchaKey":"6Lfc37IUAAAAAKGGtC6rLS13R1Hrw_BqADfS1LRk","recaptcha3Key":"6Lf8R9wUAAAAABMI_85Wb8melS7Zj6ziuf99Yot5","datadog":{"applicationId":"6702d87d-a7e0-42fe-bbcb-95b469547ea0","clientToken":"pub853ea8d17ad6821d9f8f11861d23dfed","rumToken":"pubf9cc52896502b9413b68ba36fc0c7162","context":{"deployment":{"target":"production","tag":"main-20211223-174047-cbedb4c9dd","commit":"cbedb4c9dd15d8c793d64ade5f5e96d3f1e91137"}},"datacenter":"us"},"googleAnalyticsCode":"UA-24232453-2","googlePay":{"apiVersion":"2","apiVersionMinor":"0","merchantId":"BCR2DN6TV7EMTGBM","merchantName":"Medium","instanceMerchantId":"13685562959212738550"},"applePay":{"version":3},"signInWallCustomDomainCollectionIds":["3a8144eabfe3","336d898217ee","61061eb0c96b","138adf9c44c","819cc2aaeee0"],"mediumOwnedAndOperatedCollectionIds":["8a9336e5bb4","b7e45b22fec3","193b68bd4fba","8d6b8a439e32","54c98c43354d","3f6ecf56618","d944778ce714","92d2092dc598","ae2a65f35510","1285ba81cada","544c7006046e","fc8964313712","40187e704f1c","88d9857e584e","7b6769f2748b","bcc38c8f6edf","cef6983b292","cb8577c9149e","444d13b52878","713d7dbc99b0","ef8e90590e66","191186aaafa0","55760f21cdc5","9dc80918cc93","bdc4052bbdba","8ccfed20cbb2"],"tierOneDomains":["medium.com","thebolditalic.com","arcdigital.media","towardsdatascience.com","uxdesign.cc","codeburst.io","psiloveyou.xyz","writingcooperative.com","entrepreneurshandbook.co","prototypr.io","betterhumans.coach.me","theascent.pub"],"topicsToFollow":["d61cf867d93f","8a146bc21b28","1eca0103fff3","4d562ee63426","aef1078a3ef5","e15e46793f8d","6158eb913466","55f1c20aba7a","3d18b94f6858","4861fee224fd","63c6f1f93ee","1d98b3a9a871","decb52b64abf","ae5d4995e225","830cded25262"],"topicToTagMappings":{"accessibility":"accessibility","addiction":"addiction","android-development":"android-development","art":"art","artificial-intelligence":"artificial-intelligence","astrology":"astrology","basic-income":"basic-income","beauty":"beauty","biotech":"biotech","blockchain":"blockchain","books":"books","business":"business","cannabis":"cannabis","cities":"cities","climate-change":"climate-change","comics":"comics","coronavirus":"coronavirus","creativity":"creativity","cryptocurrency":"cryptocurrency","culture":"culture","cybersecurity":"cybersecurity","data-science":"data-science","design":"design","digital-life":"digital-life","disability":"disability","economy":"economy","education":"education","equality":"equality","family":"family","feminism":"feminism","fiction":"fiction","film":"film","fitness":"fitness","food":"food","freelancing":"freelancing","future":"future","gadgets":"gadgets","gaming":"gaming","gun-control":"gun-control","health":"health","history":"history","humor":"humor","immigration":"immigration","ios-development":"ios-development","javascript":"javascript","justice":"justice","language":"language","leadership":"leadership","lgbtqia":"lgbtqia","lifestyle":"lifestyle","machine-learning":"machine-learning","makers":"makers","marketing":"marketing","math":"math","media":"media","mental-health":"mental-health","mindfulness":"mindfulness","money":"money","music":"music","neuroscience":"neuroscience","nonfiction":"nonfiction","outdoors":"outdoors","parenting":"parenting","pets":"pets","philosophy":"philosophy","photography":"photography","podcasts":"podcast","poetry":"poetry","politics":"politics","privacy":"privacy","product-management":"product-management","productivity":"productivity","programming":"programming","psychedelics":"psychedelics","psychology":"psychology","race":"race","relationships":"relationships","religion":"religion","remote-work":"remote-work","san-francisco":"san-francisco","science":"science","self":"self","self-driving-cars":"self-driving-cars","sexuality":"sexuality","social-media":"social-media","society":"society","software-engineering":"software-engineering","space":"space","spirituality":"spirituality","sports":"sports","startups":"startup","style":"style","technology":"technology","transportation":"transportation","travel":"travel","true-crime":"true-crime","tv":"tv","ux":"ux","venture-capital":"venture-capital","visual-design":"visual-design","work":"work","world":"world","writing":"writing"},"defaultImages":{"avatar":{"imageId":"1*dmbNkD5D-u45r44go_cf0g.png","height":150,"width":150},"orgLogo":{"imageId":"1*OMF3fSqH8t4xBJ9-6oZDZw.png","height":106,"width":545},"postLogo":{"imageId":"1*kFrc4tBFM_tCis-2Ic87WA.png","height":810,"width":1440},"postPreviewImage":{"imageId":"1*hn4v1tCaJy7cWMyb0bpNpQ.png","height":386,"width":579}},"collectionStructuredData":{"8d6b8a439e32":{"name":"Elemental","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F980\u002F1*9ygdqoKprhwuTVKUM0DLPA@2x.png","width":980,"height":159}}},"3f6ecf56618":{"name":"Forge","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F596\u002F1*uULpIlImcO5TDuBZ6lm7Lg@2x.png","width":596,"height":183}}},"ae2a65f35510":{"name":"GEN","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F264\u002F1*RdVZMdvfV3YiZTw6mX7yWA.png","width":264,"height":140}}},"88d9857e584e":{"name":"LEVEL","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*JqYMhNX6KNNb2UlqGqO2WQ.png","width":540,"height":108}}},"7b6769f2748b":{"name":"Marker","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fcdn-images-1.medium.com\u002Fmax\u002F383\u002F1*haCUs0wF6TgOOvfoY-jEoQ@2x.png","width":383,"height":92}}},"444d13b52878":{"name":"OneZero","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*cw32fIqCbRWzwJaoQw6BUg.png","width":540,"height":123}}},"8ccfed20cbb2":{"name":"Zora","data":{"@type":"NewsMediaOrganization","ethicsPolicy":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Farticles\u002F360043290473","logo":{"@type":"ImageObject","url":"https:\u002F\u002Fmiro.medium.com\u002Fmax\u002F540\u002F1*tZUQqRcCCZDXjjiZ4bDvgQ.png","width":540,"height":106}}}},"embeddedPostIds":{"coronavirus":"cd3010f9d81f"},"sharedCdcMessaging":{"COVID_APPLICABLE_TAG_SLUGS":[],"COVID_APPLICABLE_TOPIC_NAMES":[],"COVID_APPLICABLE_TOPIC_NAMES_FOR_TOPIC_PAGE":[],"COVID_MESSAGES":{"tierA":{"text":"For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":66,"end":73,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"tierB":{"text":"Anyone can publish on Medium per our Policies, but we don’t fact-check every story. For more info about the coronavirus, see cdc.gov.","markups":[{"start":37,"end":45,"href":"https:\u002F\u002Fhelp.medium.com\u002Fhc\u002Fen-us\u002Fcategories\u002F201931128-Policies-Safety"},{"start":125,"end":132,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"paywall":{"text":"This article has been made free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":56,"end":70,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":138,"end":145,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]},"unbound":{"text":"This article is free for everyone, thanks to Medium Members. For more information on the novel coronavirus and Covid-19, visit cdc.gov.","markups":[{"start":45,"end":59,"href":"https:\u002F\u002Fmedium.com\u002Fmembership"},{"start":127,"end":134,"href":"https:\u002F\u002Fwww.cdc.gov\u002Fcoronavirus\u002F2019-nCoV"}]}},"COVID_BANNER_POST_ID_OVERRIDE_WHITELIST":["3b31a67bff4a"]},"sharedVoteMessaging":{"TAGS":["politics","election-2020","government","us-politics","election","2020-presidential-race","trump","donald-trump","democrats","republicans","congress","republican-party","democratic-party","biden","joe-biden","maga"],"TOPICS":["politics","election"],"MESSAGE":{"text":"Find out more about the U.S. election results here.","markups":[{"start":46,"end":50,"href":"https:\u002F\u002Fcookpolitical.com\u002F2020-national-popular-vote-tracker"}]},"EXCLUDE_POSTS":["397ef29e3ca5"]},"embedPostRules":[],"recircOptions":{"v1":{"limit":3},"v2":{"limit":8}},"braintreeClientKey":"production_zjkj96jm_m56f8fqpf7ngnrd4","braintree":{"enabled":true,"merchantId":"m56f8fqpf7ngnrd4","merchantAccountId":{"usd":"AMediumCorporation_instant","eur":"amediumcorporation_EUR"},"publicKey":"cwr8xtycwgjryv82","braintreeEnvironment":"production","dashboardUrl":"https:\u002F\u002Fwww.braintreegateway.com\u002Fmerchants","gracePeriodDurationInDays":14,"mediumMembershipPlanId":{"monthly":"ce105f8c57a3","monthlyWithTrial":"d5ee3dbe3db8","yearly":"a40ad4a43185","yearlyStaff":"d74fb811198a","yearlyWithTrial":"b3bc7350e5c7"},"braintreeDiscountId":{"oneMonthFree":"MONTHS_FREE_01","threeMonthsFree":"MONTHS_FREE_03","sixMonthsFree":"MONTHS_FREE_06"},"3DSecureVersion":"2","defaultCurrency":"usd"},"paypalClientId":"AXj1G4fotC2GE8KzWX9mSxCH1wmPE3nJglf4Z2ig_amnhvlMVX87otaq58niAg9iuLktVNF_1WCMnN7v","paypal":{"host":"https:\u002F\u002Fapi.paypal.com:443","clientMode":"production","serverMode":"live","webhookId":"4G466076A0294510S","monthlyPlan":{"planId":"P-9WR0658853113943TMU5FDQA","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlan":{"planId":"P-7N8963881P8875835MU5JOPQ","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oneYearGift":{"name":"Medium Membership (1 Year, Digital Gift Code)","description":"Unlimited access to the best and brightest stories on Medium. Gift codes can be redeemed at medium.com\u002Fredeem.","price":"50.00","currency":"USD","sku":"membership-gift-1-yr"},"oldMonthlyPlan":{"planId":"P-96U02458LM656772MJZUVH2Y","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlan":{"planId":"P-59P80963JF186412JJZU3SMI","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"monthlyPlanWithTrial":{"planId":"P-66C21969LR178604GJPVKUKY","name":"Medium Membership (Monthly) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"yearlyPlanWithTrial":{"planId":"P-6XW32684EX226940VKCT2MFA","name":"Medium Membership (Annual) with setup fee","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"oldMonthlyPlanNoSetupFee":{"planId":"P-4N046520HR188054PCJC7LJI","name":"Medium Membership (Monthly)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed monthly."},"oldYearlyPlanNoSetupFee":{"planId":"P-7A4913502Y5181304CJEJMXQ","name":"Medium Membership (Annual)","description":"Unlimited access to the best and brightest stories on Medium. Membership billed annually."},"sdkUrl":"https:\u002F\u002Fwww.paypal.com\u002Fsdk\u002Fjs"},"stripePublishableKey":"pk_live_7FReX44VnNIInZwrIIx6ghjl","log":{"json":true,"level":"info"}},"session":{"xsrf":""}}</script><script>window.__APOLLO_STATE__ = {"ROOT_QUERY":{"__typename":"Query","meterPost({\"postId\":\"21f9c7d8a014\",\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__ref":"MeteringInfo:{}"},"postResult({\"id\":\"21f9c7d8a014\"})":{"__ref":"Post:21f9c7d8a014"}},"MeteringInfo:{}":{"__typename":"MeteringInfo","postIds":[],"maxUnlockCount":3,"unlocksRemaining":0},"User:138f8633036e":{"id":"138f8633036e","__typename":"User","name":"Rex Guo","username":"rex-11050","newsletterV3":{"__ref":"NewsletterV3:bf1ea97912c3"},"customStyleSheet":null,"isSuspended":false,"bio":"Redefining security at Lacework | Ex-Cisco Acquisition | Ex-Intel Security | Blackhat\u002FDefcon speaker | @Xiaofei_REX","imageId":"1*oJssekvq2DlebIDSamLo-A.png","hasCompletedProfile":false,"isAuroraVisible":true,"mediumMemberAt":0,"socialStats":{"__typename":"SocialStats","followerCount":24,"followingCount":3,"collectionFollowingCount":2},"customDomainState":{"__typename":"CustomDomainState","live":{"__typename":"CustomDomain","domain":"rex-11050.medium.com","status":"ACTIVE","isSubdomain":true}},"hasSubdomain":true,"bookAuthor":null,"isPartnerProgramEnrolled":false,"viewerEdge":{"__ref":"UserViewerEdge:userId:138f8633036e-viewerId:lo_6fd2fdd5143d"},"viewerIsUser":false,"homepagePostsConnection({\"paging\":{\"limit\":1}})":{"__typename":"PostConnection","posts":[{"__ref":"Post:da7da34ed301"}]},"postSubscribeMembershipUpsellShownAt":0,"allowNotes":true,"replyToEmailBannerShownCount":0,"twitterScreenName":"Xiaofei_REX","followedCollections":2,"referredMembershipCustomHeadline":"","referredMembershipCustomBody":"","atsQualifiedAt":1620986257962},"ImageMetadata:":{"id":"","__typename":"ImageMetadata"},"CollectionViewerEdge:collectionId:7b3e2b415688-viewerId:lo_6fd2fdd5143d":{"id":"collectionId:7b3e2b415688-viewerId:lo_6fd2fdd5143d","__typename":"CollectionViewerEdge","isEditor":false},"ImageMetadata:1*ZP9VuUzDajG62zTUd0fdpw.png":{"id":"1*ZP9VuUzDajG62zTUd0fdpw.png","__typename":"ImageMetadata","originalWidth":1025,"originalHeight":1025},"User:ff605f3b4a67":{"id":"ff605f3b4a67","__typename":"User","atsQualifiedAt":0},"ImageMetadata:1*7tbfIVWetsgd4ZTsKMoyEA.png":{"id":"1*7tbfIVWetsgd4ZTsKMoyEA.png","__typename":"ImageMetadata"},"Collection:7b3e2b415688":{"id":"7b3e2b415688","__typename":"Collection","domain":null,"googleAnalyticsId":null,"slug":"confluera-engineering","colorBehavior":"ACCENT_COLOR","isAuroraVisible":false,"favicon":{"__ref":"ImageMetadata:"},"name":"Confluera Engineering","colorPalette":{"__typename":"ColorPalette","highlightSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FFF4F2F2","point":0},{"__typename":"ColorPoint","color":"#FFF2F0F0","point":0.1},{"__typename":"ColorPoint","color":"#FFF0EEEE","point":0.2},{"__typename":"ColorPoint","color":"#FFEEECEC","point":0.3},{"__typename":"ColorPoint","color":"#FFECEBEA","point":0.4},{"__typename":"ColorPoint","color":"#FFEAE9E8","point":0.5},{"__typename":"ColorPoint","color":"#FFE8E7E7","point":0.6},{"__typename":"ColorPoint","color":"#FFE6E5E5","point":0.7},{"__typename":"ColorPoint","color":"#FFE4E3E3","point":0.8},{"__typename":"ColorPoint","color":"#FFE2E1E1","point":0.9},{"__typename":"ColorPoint","color":"#FFE0DFDF","point":1}]},"defaultBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FF848585","point":0},{"__typename":"ColorPoint","color":"#FF7B7B7B","point":0.1},{"__typename":"ColorPoint","color":"#FF717272","point":0.2},{"__typename":"ColorPoint","color":"#FF686868","point":0.3},{"__typename":"ColorPoint","color":"#FF5E5E5E","point":0.4},{"__typename":"ColorPoint","color":"#FF545454","point":0.5},{"__typename":"ColorPoint","color":"#FF494A4A","point":0.6},{"__typename":"ColorPoint","color":"#FF3F3F3F","point":0.7},{"__typename":"ColorPoint","color":"#FF333333","point":0.8},{"__typename":"ColorPoint","color":"#FF272727","point":0.9},{"__typename":"ColorPoint","color":"#FF1A1A1A","point":1}]},"tintBackgroundSpectrum":{"__typename":"ColorSpectrum","backgroundColor":"#FFFFFFFF","colorPoints":[{"__typename":"ColorPoint","color":"#FFFFFFFF","point":0},{"__typename":"ColorPoint","color":"#FFECECEC","point":0.1},{"__typename":"ColorPoint","color":"#FFD9D9D9","point":0.2},{"__typename":"ColorPoint","color":"#FFC5C6C6","point":0.3},{"__typename":"ColorPoint","color":"#FFB1B1B1","point":0.4},{"__typename":"ColorPoint","color":"#FF9C9D9D","point":0.5},{"__typename":"ColorPoint","color":"#FF868787","point":0.6},{"__typename":"ColorPoint","color":"#FF6F7071","point":0.7},{"__typename":"ColorPoint","color":"#FF575959","point":0.8},{"__typename":"ColorPoint","color":"#FF3D3F3F","point":0.9},{"__typename":"ColorPoint","color":"#FF202122","point":1}]}},"customStyleSheet":null,"tagline":"Confluera Engineering Blog","isAuroraEligible":false,"viewerEdge":{"__ref":"CollectionViewerEdge:collectionId:7b3e2b415688-viewerId:lo_6fd2fdd5143d"},"logo":{"__ref":"ImageMetadata:1*ZP9VuUzDajG62zTUd0fdpw.png"},"navItems":[],"creator":{"__ref":"User:ff605f3b4a67"},"subscriberCount":42,"newsletterV3":null,"avatar":{"__ref":"ImageMetadata:1*7tbfIVWetsgd4ZTsKMoyEA.png"},"canToggleEmail":false,"description":"Confluera engineering is not perfect, but we pursue perfection. We write our journey here.","ampEnabled":false,"twitterUsername":null,"facebookPageId":null,"customDomainState":null,"ptsQualifiedAt":0},"UserViewerEdge:userId:138f8633036e-viewerId:lo_6fd2fdd5143d":{"id":"userId:138f8633036e-viewerId:lo_6fd2fdd5143d","__typename":"UserViewerEdge","isFollowing":false,"isUser":false},"NewsletterV3:bf1ea97912c3":{"id":"bf1ea97912c3","__typename":"NewsletterV3","type":"NEWSLETTER_TYPE_AUTHOR","slug":"138f8633036e","name":"138f8633036e","collection":null,"user":{"__ref":"User:138f8633036e"},"description":"","promoHeadline":"","promoBody":"","replyToEmail":"","showPromo":false,"subscribersCount":1},"Post:da7da34ed301":{"id":"da7da34ed301","__typename":"Post"},"Paragraph:bfd4f2ce01ee_0":{"id":"bfd4f2ce01ee_0","__typename":"Paragraph","name":"578a","text":"Detection and Response for Linux Reflective Code Loading Malware— This is How","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":77,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_1":{"id":"bfd4f2ce01ee_1","__typename":"Paragraph","name":"ee06","text":"Human fighting with virus. source: www.newyorker.com","type":"IMG","href":null,"layout":"INSET_CENTER","metadata":{"__ref":"ImageMetadata:1*e7pB-lobhFELlsuHZB-1cQ.png"},"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":35,"end":52,"type":"A","href":"http:\u002F\u002Fwww.newyorker.com","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_2":{"id":"bfd4f2ce01ee_2","__typename":"Paragraph","name":"d391","text":"Summary","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":7,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_3":{"id":"bfd4f2ce01ee_3","__typename":"Paragraph","name":"b73a","text":"In part 1 of this blog series, we discussed how reflective code loading using anonymous files works in Linux. In this blog, We will dive deeper into how to detect and respond to such behavior. We will also discuss legitimate usage of the anonymous file.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":3,"end":9,"type":"A","href":"https:\u002F\u002Frex-11050.medium.com\u002Freflective-code-loading-in-linux-a-new-defense-evasion-technique-in-mitre-att-ck-v10-da7da34ed301","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_4":{"id":"bfd4f2ce01ee_4","__typename":"Paragraph","name":"3a2a","text":"This blog is co-authored with Joel Schopp.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":30,"end":41,"type":"A","href":"https:\u002F\u002Fmedium.com\u002F@joel.schopp","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_5":{"id":"bfd4f2ce01ee_5","__typename":"Paragraph","name":"47a4","text":"How to Detect Anonymous File Execution?","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":39,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_6":{"id":"bfd4f2ce01ee_6","__typename":"Paragraph","name":"6f77","text":"The ideal scenario is when reflective code loading happens, security teams get notified in real-time and can examine the application behaviors. If the security team does not have such real-time detection capabilities or have to manually respond to such threats, here are a few things the team can do.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_7":{"id":"bfd4f2ce01ee_7","__typename":"Paragraph","name":"42ec","text":"lsof is a utility to list open files in linux. It shows the list of open file descriptors. If the anonymous file is created.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":4,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_8":{"id":"bfd4f2ce01ee_8","__typename":"Paragraph","name":"ffcd","text":"$ sudo lsof | head -n 5","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_9":{"id":"bfd4f2ce01ee_9","__typename":"Paragraph","name":"0562","text":"COMMAND PID TID USER FD TYPE DEVICE SIZE\u002FOFF NODE NAME","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_10":{"id":"bfd4f2ce01ee_10","__typename":"Paragraph","name":"32f1","text":"systemd 1 root cwd DIR 8,1 4096 2 \u002F","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_11":{"id":"bfd4f2ce01ee_11","__typename":"Paragraph","name":"15ab","text":"systemd 1 root rtd DIR 8,1 4096 2 \u002F","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_12":{"id":"bfd4f2ce01ee_12","__typename":"Paragraph","name":"2dfa","text":"systemd 1 root txt REG 8,1 1616248 3675243 \u002Flib\u002Fsystemd\u002Fsystemd","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_13":{"id":"bfd4f2ce01ee_13","__typename":"Paragraph","name":"1ea6","text":"systemd 1 root mem REG 8,1 1700792 3670102 \u002Flib\u002Fx86_64-linux-gnu\u002Flibm-2.27.so","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_14":{"id":"bfd4f2ce01ee_14","__typename":"Paragraph","name":"3f14","text":"lsofis able to list some process attributes of the process that owns the file and also file attributes related to the file. To filter out reflective code loading files, we can run","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":4,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_15":{"id":"bfd4f2ce01ee_15","__typename":"Paragraph","name":"a3d3","text":"$ sudo lsof | grep memfd\n…","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_16":{"id":"bfd4f2ce01ee_16","__typename":"Paragraph","name":"88d8","text":"snapd-gli 2519 2522 alice 6u REG 0,1 67108864 143494 \u002Fmemfd:pulseaudio (deleted)","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_17":{"id":"bfd4f2ce01ee_17","__typename":"Paragraph","name":"5b13","text":"gsd-media 2743 alice DEL REG 0,1 146019 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_18":{"id":"bfd4f2ce01ee_18","__typename":"Paragraph","name":"7063","text":"gsd-media 2743 alice DEL REG 0,1 143494 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_19":{"id":"bfd4f2ce01ee_19","__typename":"Paragraph","name":"0558","text":"gsd-media 2743 alice DEL REG 0,1 145962 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_20":{"id":"bfd4f2ce01ee_20","__typename":"Paragraph","name":"35e0","text":"gmain 2743 2801 alice DEL REG 0,1 146019 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_21":{"id":"bfd4f2ce01ee_21","__typename":"Paragraph","name":"58ee","text":"gmain 2743 2801 alice DEL REG 0,1 143494 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_22":{"id":"bfd4f2ce01ee_22","__typename":"Paragraph","name":"8600","text":"gmain 2743 2801 alice DEL REG 0,1 145962 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_23":{"id":"bfd4f2ce01ee_23","__typename":"Paragraph","name":"8488","text":"gdbus 2743 2802 alice DEL REG 0,1 146019 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_24":{"id":"bfd4f2ce01ee_24","__typename":"Paragraph","name":"2908","text":"gdbus 2743 2802 alice DEL REG 0,1 143494 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_25":{"id":"bfd4f2ce01ee_25","__typename":"Paragraph","name":"b515","text":"gdbus 2743 2802 alice DEL REG 0,1 145962 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_26":{"id":"bfd4f2ce01ee_26","__typename":"Paragraph","name":"9b8e","text":"dconf\\x20 2743 2816 alice DEL REG 0,1 146019 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_27":{"id":"bfd4f2ce01ee_27","__typename":"Paragraph","name":"9f47","text":"dconf\\x20 2743 2816 alice DEL REG 0,1 143494 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_28":{"id":"bfd4f2ce01ee_28","__typename":"Paragraph","name":"0e9b","text":"dconf\\x20 2743 2816 alice DEL REG 0,1 145962 \u002Fmemfd:pulseaudio","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_29":{"id":"bfd4f2ce01ee_29","__typename":"Paragraph","name":"c4ba","text":"4 40215 alice cwd DIR 8,1 4096 403246 \u002Fhome\u002Falice\u002Fmemfd_create","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_30":{"id":"bfd4f2ce01ee_30","__typename":"Paragraph","name":"ddf4","text":"4 40215 alice txt REG 0,1 23976 16703995 \u002Fmemfd:a (deleted)","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_31":{"id":"bfd4f2ce01ee_31","__typename":"Paragraph","name":"4c70","text":"This particular entry listed above looks interesting:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_32":{"id":"bfd4f2ce01ee_32","__typename":"Paragraph","name":"8e92","text":"COMMAND PID TID USER FD TYPE DEVICE SIZE\u002FOFF NODE NAME","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_33":{"id":"bfd4f2ce01ee_33","__typename":"Paragraph","name":"8ffb","text":"4 40215 alice txt REG 0,1 23976 16703995 \u002Fmemfd:a (deleted)","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_34":{"id":"bfd4f2ce01ee_34","__typename":"Paragraph","name":"af4a","text":"The NAMEfield represents the path of the file and we can see the anonymous files can be identified by \u002Fmemfd: .","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":4,"end":8,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":102,"end":109,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_35":{"id":"bfd4f2ce01ee_35","__typename":"Paragraph","name":"863c","text":"The a in\u002Fmemfd:a (deleted)is from the argument we gave when making the memfd_create() syscall. This field can also be set freely by the application. Please refer to the first part of our blog for the source code of the demo program.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":4,"end":5,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":8,"end":26,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":71,"end":85,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_36":{"id":"bfd4f2ce01ee_36","__typename":"Paragraph","name":"4274","text":"The FD column indicates that this is aTXT type, i.e., it is a binary being executed.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":4,"end":6,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":38,"end":41,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_37":{"id":"bfd4f2ce01ee_37","__typename":"Paragraph","name":"0c13","text":"These indicators above told us that it is a reflective code loading using anonymous files. What is interesting is the COMMAND column shows 4. This is because when the anonymous file is executed by the child process, the file descriptor is number 4. Using a number as the command for a process is unusual and can be a suspicious indicator. However, one should be aware that an attacker can use prctl to change the command field of a process to something that looks legitimate after executing the anonymous file.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":139,"end":140,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null},{"__typename":"Markup","start":393,"end":398,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_38":{"id":"bfd4f2ce01ee_38","__typename":"Paragraph","name":"7fc2","text":"How to Respond to Reflective Code Loading?","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":42,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_39":{"id":"bfd4f2ce01ee_39","__typename":"Paragraph","name":"ccd8","text":"If we identify reflective code loading, the next step is to analyze whether the application behaves maliciously and whether it is a legitimate ELF binary. The former can be achieved with real-time detection tools. For the latter, we can dump the ELF binary directly from the \u002Fprocfile system. Given the process id that owns the reflectively loaded file is 40125, we can run:","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":275,"end":280,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_40":{"id":"bfd4f2ce01ee_40","__typename":"Paragraph","name":"0874","text":"$ cat \u002Fproc\u002F40215\u002Fexe \u003E \u002Ftmp\u002F40215_elf","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_41":{"id":"bfd4f2ce01ee_41","__typename":"Paragraph","name":"f382","text":"$ file \u002Ftmp\u002F40215_elf","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_42":{"id":"bfd4f2ce01ee_42","__typename":"Paragraph","name":"9392","text":"40215_elf: ELF 64-bit LSB shared object, x86–64, version 1 (SYSV), dynamically linked, interpreter \u002Flib64\u002Fld-linux-x86–64.so.2, for GNU\u002FLinux 3.2.0, BuildID[sha1]=1bc82caf2f0c662f06e0c338e4d4db7d9d610cd0, stripped","type":"PRE","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_43":{"id":"bfd4f2ce01ee_43","__typename":"Paragraph","name":"9781","text":"Since we got the full ELF file, one can analyze it with the traditional binary analysis tool chain.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_44":{"id":"bfd4f2ce01ee_44","__typename":"Paragraph","name":"d859","text":"Legitimate use cases of Reflective Code Loading","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":47,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_45":{"id":"bfd4f2ce01ee_45","__typename":"Paragraph","name":"84d2","text":"Whenever we discuss attackers’ behaviors, it is always necessary to understand the full picture. I.e., What are the legitimate use cases?","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_46":{"id":"bfd4f2ce01ee_46","__typename":"Paragraph","name":"e6db","text":"In fact, reflective code loading has been used to fix a docker security vulnerability. CVE-2019–5736 is a runc vulnerability which allows the attacker to break out of a container. This blog will summarize the vulnerability and focus on discussing how reflective code loading is used to patch security vulnerabilities. For in-depth details of the vulnerability, we recommend this blog from Uint42 researchers.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":379,"end":383,"type":"A","href":"https:\u002F\u002Funit42.paloaltonetworks.com\u002Fbreaking-docker-via-runc-explaining-cve-2019-5736\u002F","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_47":{"id":"bfd4f2ce01ee_47","__typename":"Paragraph","name":"19b7","text":"CVE-2019–5736 allows an attacker to overwrite the host runc binary through symbolic links. The container runtime will be tricked to open the symbolic link in the \u002Fproc file system which points to the runc binary. Then the attacker within the container and create a handle to the runc file on the host and therefore overwrite the binary after the runc process exits.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":162,"end":167,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_48":{"id":"bfd4f2ce01ee_48","__typename":"Paragraph","name":"8ad6","text":"To prevent this attack, LXC has been patched to create a temporary copy of the calling binary itself when it starts or attaches to containers. To do this LXC creates an anonymous, in-memory file using the memfd_create() system call and copies itself into the temporary in-memory file, which is then sealed to prevent further modifications. LXC then executes this sealed, in-memory file instead of the original on-disk binary. Any compromising write operations from a privileged container to the host LXC binary will then write to the temporary in-memory binary and not to the host binary on-disk, preserving the integrity of the host LXC binary. Also as the temporary, in-memory LXC binary is sealed, writes to this will also fail.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":205,"end":219,"type":"CODE","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_49":{"id":"bfd4f2ce01ee_49","__typename":"Paragraph","name":"f06a","text":"As we can see, certain applications can use reflective code loading to fix security vulnerabilities and it is essential to understand your operating environments during the analysis.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_50":{"id":"bfd4f2ce01ee_50","__typename":"Paragraph","name":"bdef","text":"Conclusion","type":"H3","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":0,"end":10,"type":"STRONG","href":null,"anchorType":null,"userId":null,"linkMetadata":null}],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_51":{"id":"bfd4f2ce01ee_51","__typename":"Paragraph","name":"abd8","text":"We discussed the important artifacts to examine when detecting and responding to reflective code loading. We also described legitimate usages of such reflective code loading.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_52":{"id":"bfd4f2ce01ee_52","__typename":"Paragraph","name":"7d82","text":"Understanding the application behaviors and your own operating environment are critical to investigate and detect such techniques. It will be much more beneficial if one can obtain a sequence of execution behaviors and analyze them in a holistic manner.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[],"dropCapImage":null},"Paragraph:bfd4f2ce01ee_53":{"id":"bfd4f2ce01ee_53","__typename":"Paragraph","name":"f0e1","text":"Feel free to reach out with any questions you may have through contact.","type":"P","href":null,"layout":null,"metadata":null,"hasDropCap":null,"iframe":null,"mixtapeMetadata":null,"markups":[{"__typename":"Markup","start":63,"end":70,"type":"A","href":"https:\u002F\u002Fwww.confluera.com\u002Fcontact","anchorType":"LINK","userId":null,"linkMetadata":null}],"dropCapImage":null},"ImageMetadata:1*e7pB-lobhFELlsuHZB-1cQ.png":{"id":"1*e7pB-lobhFELlsuHZB-1cQ.png","__typename":"ImageMetadata","originalHeight":768,"originalWidth":1595,"focusPercentX":null,"focusPercentY":null,"alt":null},"Tag:cybersecurity":{"id":"cybersecurity","__typename":"Tag","displayTitle":"Cybersecurity","normalizedTagSlug":"cybersecurity"},"Tag:cloud-security":{"id":"cloud-security","__typename":"Tag","displayTitle":"Cloud Security","normalizedTagSlug":"cloud-security"},"Tag:mitre-attack":{"id":"mitre-attack","__typename":"Tag","displayTitle":"Mitre Attack","normalizedTagSlug":"mitre-attack"},"Tag:malware":{"id":"malware","__typename":"Tag","displayTitle":"Malware","normalizedTagSlug":"malware"},"Tag:detection":{"id":"detection","__typename":"Tag","displayTitle":"Detection","normalizedTagSlug":"detection"},"PostViewerEdge:postId:21f9c7d8a014-viewerId:lo_6fd2fdd5143d":{"id":"postId:21f9c7d8a014-viewerId:lo_6fd2fdd5143d","__typename":"PostViewerEdge","catalogsConnection":null},"Post:21f9c7d8a014":{"id":"21f9c7d8a014","__typename":"Post","creator":{"__ref":"User:138f8633036e"},"canonicalUrl":"","collection":{"__ref":"Collection:7b3e2b415688"},"content({\"postMeteringOptions\":{\"referrer\":\"\",\"sk\":null,\"source\":null}})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:bfd4f2ce01ee_0"},{"__ref":"Paragraph:bfd4f2ce01ee_1"},{"__ref":"Paragraph:bfd4f2ce01ee_2"},{"__ref":"Paragraph:bfd4f2ce01ee_3"},{"__ref":"Paragraph:bfd4f2ce01ee_4"},{"__ref":"Paragraph:bfd4f2ce01ee_5"},{"__ref":"Paragraph:bfd4f2ce01ee_6"},{"__ref":"Paragraph:bfd4f2ce01ee_7"},{"__ref":"Paragraph:bfd4f2ce01ee_8"},{"__ref":"Paragraph:bfd4f2ce01ee_9"},{"__ref":"Paragraph:bfd4f2ce01ee_10"},{"__ref":"Paragraph:bfd4f2ce01ee_11"},{"__ref":"Paragraph:bfd4f2ce01ee_12"},{"__ref":"Paragraph:bfd4f2ce01ee_13"},{"__ref":"Paragraph:bfd4f2ce01ee_14"},{"__ref":"Paragraph:bfd4f2ce01ee_15"},{"__ref":"Paragraph:bfd4f2ce01ee_16"},{"__ref":"Paragraph:bfd4f2ce01ee_17"},{"__ref":"Paragraph:bfd4f2ce01ee_18"},{"__ref":"Paragraph:bfd4f2ce01ee_19"},{"__ref":"Paragraph:bfd4f2ce01ee_20"},{"__ref":"Paragraph:bfd4f2ce01ee_21"},{"__ref":"Paragraph:bfd4f2ce01ee_22"},{"__ref":"Paragraph:bfd4f2ce01ee_23"},{"__ref":"Paragraph:bfd4f2ce01ee_24"},{"__ref":"Paragraph:bfd4f2ce01ee_25"},{"__ref":"Paragraph:bfd4f2ce01ee_26"},{"__ref":"Paragraph:bfd4f2ce01ee_27"},{"__ref":"Paragraph:bfd4f2ce01ee_28"},{"__ref":"Paragraph:bfd4f2ce01ee_29"},{"__ref":"Paragraph:bfd4f2ce01ee_30"},{"__ref":"Paragraph:bfd4f2ce01ee_31"},{"__ref":"Paragraph:bfd4f2ce01ee_32"},{"__ref":"Paragraph:bfd4f2ce01ee_33"},{"__ref":"Paragraph:bfd4f2ce01ee_34"},{"__ref":"Paragraph:bfd4f2ce01ee_35"},{"__ref":"Paragraph:bfd4f2ce01ee_36"},{"__ref":"Paragraph:bfd4f2ce01ee_37"},{"__ref":"Paragraph:bfd4f2ce01ee_38"},{"__ref":"Paragraph:bfd4f2ce01ee_39"},{"__ref":"Paragraph:bfd4f2ce01ee_40"},{"__ref":"Paragraph:bfd4f2ce01ee_41"},{"__ref":"Paragraph:bfd4f2ce01ee_42"},{"__ref":"Paragraph:bfd4f2ce01ee_43"},{"__ref":"Paragraph:bfd4f2ce01ee_44"},{"__ref":"Paragraph:bfd4f2ce01ee_45"},{"__ref":"Paragraph:bfd4f2ce01ee_46"},{"__ref":"Paragraph:bfd4f2ce01ee_47"},{"__ref":"Paragraph:bfd4f2ce01ee_48"},{"__ref":"Paragraph:bfd4f2ce01ee_49"},{"__ref":"Paragraph:bfd4f2ce01ee_50"},{"__ref":"Paragraph:bfd4f2ce01ee_51"},{"__ref":"Paragraph:bfd4f2ce01ee_52"},{"__ref":"Paragraph:bfd4f2ce01ee_53"}],"sections":[{"__typename":"Section","name":"9db2","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}},"customStyleSheet":null,"firstPublishedAt":1638557988517,"isIndexable":true,"isLocked":false,"isPublished":true,"isShortform":false,"layerCake":0,"primaryTopic":null,"title":"Detection and Response for Linux Reflective Code Loading Malware— This is How","isMarkedPaywallOnly":false,"mediumUrl":"https:\u002F\u002Fmedium.com\u002Fconfluera-engineering\u002Fdetection-and-response-for-linux-reflective-code-loading-malware-this-is-how-21f9c7d8a014","readingTime":4.275471698113208,"detectedLanguage":"en","wordCount":1080,"isLimitedState":false,"visibility":"PUBLIC","license":"ALL_RIGHTS_RESERVED","inResponseToPostResult":null,"allowResponses":true,"newsletterId":"","sequence":null,"tags":[{"__ref":"Tag:cybersecurity"},{"__ref":"Tag:cloud-security"},{"__ref":"Tag:mitre-attack"},{"__ref":"Tag:malware"},{"__ref":"Tag:detection"}],"topics":[],"isNewsletter":false,"isPublishToEmail":false,"socialTitle":"","socialDek":"","noIndex":null,"curationStatus":null,"metaDescription":"","latestPublishedAt":1638598260724,"previewContent":{"__typename":"PreviewContent","subtitle":"Summary"},"previewImage":{"__ref":"ImageMetadata:1*e7pB-lobhFELlsuHZB-1cQ.png"},"clapCount":2,"postResponses":{"__typename":"PostResponses","count":0},"isSuspended":false,"pendingCollection":null,"statusForCollection":"APPROVED","lockedSource":"LOCKED_POST_SOURCE_NONE","pinnedAt":0,"pinnedByCreatorAt":0,"curationEligibleAt":0,"responseDistribution":"NOT_DISTRIBUTED","inResponseToEntityType":null,"internalLinks({\"paging\":{\"limit\":8}})":{"__typename":"InternalLinksConnection","items":[]},"viewerEdge":{"__ref":"PostViewerEdge:postId:21f9c7d8a014-viewerId:lo_6fd2fdd5143d"},"collaborators":[],"translationSourcePost":null,"audioVersionUrl":"","seoTitle":"","updatedAt":1640144356679,"shortformType":"SHORTFORM_TYPE_LINK","structuredData":"","seoDescription":"","latestPublishedVersion":"bfd4f2ce01ee","isAuthorNewsletter":false,"voterCount":2,"recommenders":[],"content({})":{"__typename":"PostContent","isLockedPreviewOnly":false,"validatedShareKey":"","bodyModel":{"__typename":"RichText","paragraphs":[{"__ref":"Paragraph:bfd4f2ce01ee_0"},{"__ref":"Paragraph:bfd4f2ce01ee_1"},{"__ref":"Paragraph:bfd4f2ce01ee_2"},{"__ref":"Paragraph:bfd4f2ce01ee_3"},{"__ref":"Paragraph:bfd4f2ce01ee_4"},{"__ref":"Paragraph:bfd4f2ce01ee_5"},{"__ref":"Paragraph:bfd4f2ce01ee_6"},{"__ref":"Paragraph:bfd4f2ce01ee_7"},{"__ref":"Paragraph:bfd4f2ce01ee_8"},{"__ref":"Paragraph:bfd4f2ce01ee_9"},{"__ref":"Paragraph:bfd4f2ce01ee_10"},{"__ref":"Paragraph:bfd4f2ce01ee_11"},{"__ref":"Paragraph:bfd4f2ce01ee_12"},{"__ref":"Paragraph:bfd4f2ce01ee_13"},{"__ref":"Paragraph:bfd4f2ce01ee_14"},{"__ref":"Paragraph:bfd4f2ce01ee_15"},{"__ref":"Paragraph:bfd4f2ce01ee_16"},{"__ref":"Paragraph:bfd4f2ce01ee_17"},{"__ref":"Paragraph:bfd4f2ce01ee_18"},{"__ref":"Paragraph:bfd4f2ce01ee_19"},{"__ref":"Paragraph:bfd4f2ce01ee_20"},{"__ref":"Paragraph:bfd4f2ce01ee_21"},{"__ref":"Paragraph:bfd4f2ce01ee_22"},{"__ref":"Paragraph:bfd4f2ce01ee_23"},{"__ref":"Paragraph:bfd4f2ce01ee_24"},{"__ref":"Paragraph:bfd4f2ce01ee_25"},{"__ref":"Paragraph:bfd4f2ce01ee_26"},{"__ref":"Paragraph:bfd4f2ce01ee_27"},{"__ref":"Paragraph:bfd4f2ce01ee_28"},{"__ref":"Paragraph:bfd4f2ce01ee_29"},{"__ref":"Paragraph:bfd4f2ce01ee_30"},{"__ref":"Paragraph:bfd4f2ce01ee_31"},{"__ref":"Paragraph:bfd4f2ce01ee_32"},{"__ref":"Paragraph:bfd4f2ce01ee_33"},{"__ref":"Paragraph:bfd4f2ce01ee_34"},{"__ref":"Paragraph:bfd4f2ce01ee_35"},{"__ref":"Paragraph:bfd4f2ce01ee_36"},{"__ref":"Paragraph:bfd4f2ce01ee_37"},{"__ref":"Paragraph:bfd4f2ce01ee_38"},{"__ref":"Paragraph:bfd4f2ce01ee_39"},{"__ref":"Paragraph:bfd4f2ce01ee_40"},{"__ref":"Paragraph:bfd4f2ce01ee_41"},{"__ref":"Paragraph:bfd4f2ce01ee_42"},{"__ref":"Paragraph:bfd4f2ce01ee_43"},{"__ref":"Paragraph:bfd4f2ce01ee_44"},{"__ref":"Paragraph:bfd4f2ce01ee_45"},{"__ref":"Paragraph:bfd4f2ce01ee_46"},{"__ref":"Paragraph:bfd4f2ce01ee_47"},{"__ref":"Paragraph:bfd4f2ce01ee_48"},{"__ref":"Paragraph:bfd4f2ce01ee_49"},{"__ref":"Paragraph:bfd4f2ce01ee_50"},{"__ref":"Paragraph:bfd4f2ce01ee_51"},{"__ref":"Paragraph:bfd4f2ce01ee_52"},{"__ref":"Paragraph:bfd4f2ce01ee_53"}],"sections":[{"__typename":"Section","name":"9db2","startIndex":0,"textLayout":null,"imageLayout":null,"backgroundImage":null,"videoLayout":null,"backgroundVideo":null}]}}}}</script><script>window.__MIDDLEWARE_STATE__={"session":{"xsrf":""},"cache":{"cacheStatus":"EXPIRED","shouldUseCache":true}}</script><script src="https://cdn-client.medium.com/lite/static/js/manifest.68c44e1e.js"></script><script src="https://cdn-client.medium.com/lite/static/js/35565.71cd3bc0.js"></script><script src="https://cdn-client.medium.com/lite/static/js/main.e76d6dd7.js"></script><script src="https://cdn-client.medium.com/lite/static/js/45573.4354ed57.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/instrumentation.b36a3c7f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/reporting.7ffdf826.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/1752.a348f767.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7794.9590314e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/8353.3bb2d559.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/80685.29e1bf85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11615.2fadd0d8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/11034.d66e747e.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/90192.d7950368.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/79088.e4863540.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/19692.5d6b1ad8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/81645.b955b7c8.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95064.25d50b88.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/63303.b45636f0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/88172.f30eccc2.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5850.b6744db4.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/70832.444ac173.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/7632.7d93c1e0.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/72776.c48f900b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/50327.c2422d85.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/5055.78455feb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/12249.8b9953b3.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/61781.e9beefe1.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/56590.76c8b773.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/26022.be74e11b.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/39592.714f1ecb.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/25537.90af5bce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/33673.952ffdce.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/95972.996c4300.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/92397.168bdb90.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/62182.016e5c0a.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/68519.8dfbac07.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/45002.d12ac37f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/31142.7e55d860.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/989.c98c8a6f.chunk.js"></script>
<script src="https://cdn-client.medium.com/lite/static/js/Post.76a6c83b.chunk.js"></script><script>window.main();</script><script defer src="https://static.cloudflareinsights.com/beacon.min.js/v652eace1692a40cfa3763df669d7439c1639079717194" integrity="sha512-Gi7xpJR8tSkrpF7aordPZQlW2DLtzUlZcumS8dMQjwDHEnw9I7ZLyiOj/6tZStRBGtGgN6ceN6cMH8z7etPGlw==" data-cf-beacon='{"rayId":"6c25c413efdbf3e3","token":"0b5f665943484354a59c39c6833f7078","version":"2021.12.0","si":100}' crossorigin="anonymous"></script>
</body></html>